state of vermont retainer contract for it professional...

of 58

STATE OF VERMONT RETAINER CONTRACT FOR IT PROFESSIONAL SERVICES WEST LAKE CONSULTING, INC. - CONTRACT # 32001

1. Parties. This is a contract for services (the “Master Agreement”) between the State of Vermont,

Department of Buildings and General Services, Office of Purchasing & Contracting (hereinafter “State”), and WEST LAKE CONSULTING, INC., with principal place of business at FITZWILLIAM, NH (hereinafter called “Contractor”). Contractor’s form of business organization is incorporated. It is the Contractor’s responsibility to contact the Vermont Department of Taxes to determine if, by law, the Contractor is required to have a Vermont Department of Taxes Business Account Number.

2. Subject Matter. The Contractor shall provide information technology services in the category(s) described in Attachment A. Detailed services to be provided by the Contractor will be described in subsequent Statement of Work (SOW) Agreements with Contracting Agencies (as defined herein), according to the process set forth in Attachment A.

3. Maximum Amount. In consideration of the services to be performed by Contractor under this Master Agreement, the State agrees to pay Contractor, in accordance with the payment provisions specified in Attachment B, a maximum amount not to exceed $100,000.00.

4. Contract Term. The period of Contractor’s performance shall begin on July 1, 2016 and end on June 30, 2018. The term of this Master Agreement may be extended for two additional one-year periods at the discretion of the State. Upon the termination of this Master Agreement, all outstanding SOW Agreements shall terminate.

5. Prior Approvals. In accordance with current State law, bulletins, and interpretations, this Master Agreement shall not be binding until it has been approved by the Vermont Attorney General’s Office, the Secretary of Administration, and the State’s Chief Information Officer.

6. Amendment. No changes, modifications, or amendments in the terms and conditions of this Master Agreement shall be effective unless reduced to writing, numbered and signed by the duly authorized representative of the State and Contractor. The parties acknowledge and agree that the SOW Agreement process set forth herein shall not be used to effectuate any changes, modifications, or amendments in the terms and conditions of this Master Agreement, and that any provision in a SOW Agreement purporting to do such shall be null and void.

7. Cancellation. Either party may cancel this Master Agreement or any SOW Agreement by giving written notice at least 30 days in advance.

8. Attachments. This Master Agreement consists of 58 pages including the following attachments which are incorporated herein and shall apply to each SOW Agreement executed pursuant to this Master Agreement:

Attachment A – Scope of Work

of 58

Attachment B – Payment Provisions Attachment C – “Standard State Provisions for Contracts and Grants” a preprinted form (revision date July 1, 2016 Attachment D – Technology Terms and Conditions Attachment D1 – Form Statement of Work RFP (SOW-RFP) Attachment D2 – Statement of Work Agreement Attachment E – AHS Business Associate Agreement dated 05/05/15 (If Applicable) Attachment F – Agency of Human Services’ Customary Contract Provisions dated 12/10/10 (If Applicable) All references to the “Agreement” in Attachment C shall be deemed to refer to this Master Agreement and all SOW Agreements entered into hereunder.

9. Order of Precedence. Any ambiguity, conflict or inconsistency among the documents comprising this Master Agreement shall be resolved according to the following order of precedence:

1) Standard Contract (pages 1 and 2 of this document) 2) Attachment D (Technology Terms and Conditions) 3) Attachment C (Standard Contract Provisions for Contracts and Grants)

4) AHS Attachment E: Business Associate Agreement (If Applicable) 5) AHS Attachment F: Agency of Human Services’ Customary Contract Provisions (If

Applicable) 6) Attachment A

7) Attachment B WE THE UNDERSIGNED PARTIES AGREE TO BE BOUND BY THIS MASTER AGREEMENT.

State of Vermont Agency: BGS Office of Purchasing & Contracting

WEST LAKE CONSULTING, INC.

By: By:

Name: Name:

Title: Title: Date:

Date:

of 58

ATTACHMENT A – SCOPE OF SERVICES

Contractor shall provide the State with professional services on an as needed basis as identified below (the “Services”). The State will not be purchasing hardware or software under this Contract.

1. IT Service Categories authorized under this agreement include the following:

A. Business Analyst & Project Management Services

Contractor shall provide business analysis and project management services necessary to ensure technical projects successfully meet the objectives for which they were undertaken. Following are characteristics of this Service:

1. Business Analysis: Contractor shall evaluate, document and recommend changes to

business processes and the development, implementation and support of process improvements to eliminate redundancy and increase productivity and reduce cost; interview subject matter experts and others to develop requirements for engineered or commercial off the shelf software and systems.

2. Project Management: Project Management Institute (PMI) certified project manager

executing any or all of the following:

• Development of Project Charter • Development of project plan and schedule • Coordination and scheduling of project activities across customer and functional

areas • Consultation on operational and infrastructure requirements, standards and

configurations • Facilitate project status meetings • Timely project status reporting • Address project issues with functional areas and management • Escalation of significant issues to customers and executive management • Manage project scope and deliverable requirements • Document changes to project scope and schedule • Facilitate and document project closeout

B. Infrastructure (Physical/Virtual) Support Services

Contractor shall provide expert technical services in all aspects of infrastructure design, setup, installation, diagnosis, repair and maintenance. Contractor may be required to support enterprise class storage, blade and server technologies; and perform inter connectivity, performance, failover, deployment and/or administration of VMware product suite. Services range from advance system administrative functions in a

of 58

VMware environment to various complex blade and storage (SAN/ISCSI/etc.) to ongoing support of Citrix and Windows Server environments.

Following are Requirements and Capabilities for this Service:

• Installation, procurement and maintenance of storage sub systems and

processing capacity (blade and standard servers) • Technical support of associated infrastructure necessary for the quality, security,

performance, availability, recoverability, and reliability of the system • Ensure scheduled preventive maintenance for equipment is properly and

promptly performed • Maintain the maintenance records on the equipment • Develop operations, administrative, and quality assurance back-up plans and

procedural documentation.

C. DBA/SQLDBA/Relational Database Support

Contractor shall provide services to support the function of database administration.

Following are Requirements and Capabilities for this Service: • Support of Oracle Software • Upgrades • PeopleSoft Applications

D. PeopleSoft Application / System Administration Support Contractor shall provide services to support PeopleSoft ERP platforms: HR and Financials. Following are Requirements and Capabilities for this Service:

• PeopleSoft HR (HCM, North American Payroll, Benefits Admin, Time and Labor, Talent Acquisition, Candidate Gateway), Financials (GL, AR, AM, AP, Billing, Inventory, Purchasing)

• System Support • Developer support • Application support • Peoplecode, SQR, Integration Broker, Applications Designer, App Engine • PeopleSoft on Linux • PeopleSoft 8.8, 9.1, 9.2 • Upgrades

2. Participation: This Master Agreement may be used by all agencies, departments, offices,

commissions, boards and authorities of the State of Vermont (hereinafter “Agency”)

of 58

according to the Statement of Work process and other restrictions applicable to Statement of Work Agreements as set forth herein.

3. Statement of Work Process Overview:

A. When a Contracting Agency has a need for services in one or more of the categories described in Section 1, the Agency will prepare and deliver a Form Statement of Work RFP (SOW-RFP) to the pre-qualified vendors on the list found on the OPC website at http://bgs.vermont.gov/purchasing/forms .

B. Vendors will then submit proposals within the date and time established by the Agency.

C. Following proposal evaluation, in the best interest of the State, the Agency may enter into a Statement of Work Agreement with the selected vendor.

D. The Statement of Work Agreement will be administered by the Agency.

E. Projects over $100,000 require Standard Request for Proposals (RFPs). Any State project having an actual or anticipated cost greater than $100,000 may not be executed pursuant to this Master Agreement, and must instead undergo a formal RFP process.

4. General Requirements: The following is applicable to all work performed pursuant to this

Master Agreement.

The Contracting Agency, on an as needed basis, will prepare project specific Statements of Work to be performed under this Master Agreement and submit them to the Contractor and other vendors for proposals in a form substantially in the form attached hereto as Attachment D-1 (“Form Statement of Work RFP”). This is referred to as the SOW-RFP process and may include any or all of the following:

a. a pre-proposal conference b. a question and answer period c. amendment or revocation of the SOW-RFP where necessary d. proposal evaluation e. award recommendation.

Contractor may submit a response to the SOW RFP and shall describe how the Contractor is best qualified to meet the requirements of the SOW RFP in accordance with this Master Agreement. Proposed pricing must be submitted in response to each SOW RFP as a fixed cost or time and materials, as requested in the SOW RFP, based on completion of deliverables as described in the SOW RFP, inclusive of all expenses. Any Contractor-required terms and conditions (hereinafter “Contractor Document” and as defined further below in this Attachment A) must be submitted with the response to the SOW RFP. The terms of any such Contractor Document shall be subject to State review, negotiation and approval. When the applicable Contracting Agency decides which, if any, of the proposals reflect the State’s best interest, an SOW Agreement, in a form substantially in the form

http://bgs.vermont.gov/purchasing/forms

of 58

attached hereto as Attachment D-2 (“Form SOW Agreement”), will be drafted and signed by both the Contracting Agency and the Contractor (each, an “SOW Agreement”). All SOW Agreements shall be subject to the terms of this Master Agreement and SOW Agreement terms which purport to supersede these Master Agreement terms shall be void and have no effect.

All SOW Agreements between the Contractor and the Agency of Human Services shall include specific reference to the applicable Attachments attached hereto. The Contractor will not be compensated for time spent developing proposals in response to a Statement of Work RFP.

of 58

A. RESPONSIBILITY FOR SOW-RFP AND SOW AGREEMENT: The Agency representative has the primary responsibility for the management of the SOW-RFP process, for the resolution of SOW scope issues, and for authorizing any changes to the SOW Agreement. The Agency representative identified in the SOW Agreement, may perform administrative functions, issue written directions; monitor Contractor compliance with the terms and conditions of this Master Agreement and the SOW Agreement; and approve project deliverables. Contractor shall be responsible for achieving on budget/on time/on target (e.g., within scope) completion of the applicable SOW Agreement.

B. SOW RFP SUBMISSIONS: All SOW RFP responses must be submitted prior to the date and time specified in the SOW RFP. The Agency will not accept proposals after the date and time set forth in the SOW-RFP. The Contractor’s SOW Proposal shall be submitted via e-mail as four. The “subject” line in the e-mail submission shall state the SOW-RFP Project Name. The first file, to be submitted in both Word and pdf formats, will be the technical response to the SOW-RFP and titled, “SOW-RFP Project Name Technical”. The second file, to be submitted in both Word or Excel and pdf formats, will be the financial response to the SOW-RFP and titled, “SOW-RFP Project Name Financial”.

C. CONTRACTOR RESOURCES: Contractor shall obtain approval in advance by the State, in consultation with the Agency, of all employees, independent contractors or agents proposed for each SOW-RFP Project (“Key Personnel”). Key Personnel shall be identified in each SOW Agreement. Contractor shall use reasonable efforts to make available all Key Personnel for the entire life of the SOW RFP Project. Contractor shall not change Key Personnel without providing the State written justification and obtaining prior written approval of the State. State approvals for replacement of Key Personnel will not be unreasonably withheld. The replacement of Key Personnel shall have comparable or greater skills and applied experience than being replaced and be subject to reference and background checks described above. If Contractor removes Key Personnel for any reason without the State’s approval, Contractor agrees to provide replacement Key Personnel and shall provide the first thirty (30) days of such replacement resource(s) with equivalent skill at no charge. Notwithstanding the foregoing, the State acknowledges that Key Personnel may become unavailable due to termination of employment for any reason, through disability or death, illness, or through leave of absence such as FMLA or National Guard duty for example. In such circumstances, Contractor shall promptly notify the State in writing of the impending or actual departure of any Key Personnel and of the qualifications and identity of proposed replacement Key Personnel. The State has the right to reasonably disapprove of any replacement Key Personnel.

If Key Personnel does not perform up to acceptable or professional standards as required in this Master Agreement or the SOW Agreement, Contractor shall, when notified by the State, either replace the employees, independent contractors or agents with approved employees, independent contractors or agents or take remedial action agreed by State to

of 58

ensure that Contractor Resources are acceptable to the State for the SOW Agreement. The State’s right to request replacement of Contractor personnel hereunder relates solely to the removal of individuals from work on this Master Agreement and/or the particular SOW Agreement and does not create any employment or principal-agent relationship with the State. Nothing in this Master Agreement or any SOW Agreement entered into hereunder authorizes the State to direct the Contractor’s termination of, or other adverse action related to, the employment of any individual.

D. ORAL PRESENTATIONS/INTERVIEWS: In connection with any SOW RFP, Contractor and proposed employees, independent contractors or agents of Contractor may be required to make an oral presentation to State or Agency representatives. Significant representations made by a Contractor during the oral presentation shall be submitted in writing. All material representations acceptable to the State shall be incorporated in any applicable SOW Agreement. The Agency will notify Contractor of the time and place of oral presentations.

E. SOW AGREEMENT: Based upon an evaluation of SOW Proposals, a vendor will be selected to perform the work. A specific SOW Agreement will be entered into between the State and the selected vendor, which will bind the selected vendor to the terms of the SOW Agreement, including Project-specific payment terms. All SOW Agreements shall be subject to the terms of this Master Agreement and the Attachments hereto, as applicable. The Contracting Agency shall provide DII and OPC with a copy of the SOW Agreement, once it has been executed, via email to: [email protected] [email protected]

mailto:[email protected]


of 58

F. PROJECT MANAGEMENT/BUSINESS ANALYSIS/ENTERPRISE ARCHITECT SERVICES: All SOW Agreements for Project Management/Business Analysis/Architect Services shall be submitted to the State of Vermont Office of the Attorney General for a determination in accordance with 3 V.S.A. § 342 that such engagement is not contrary to the spirit and intent of the classification plan and merit system principles and standards provided by Chapter 13 of Title 3 of the Vermont Statutes.

G. NON-DISCLOSURE AGREEMENT: In some cases, Contractor may be required to sign a Non-Disclosure Agreement in a form acceptable to the State in order to protect confidential State data to which the Contractor, its employees, subcontractors or agents may have access.

H. CONTRACT MANAGEMENT OVERSIGHT ACTIVITIES: Enterprise Project Management Office (EPMO) may monitor the progress of any or all of the SOW Agreements in order to ascertain whether the Contractor is completing its work in accordance with this Master Agreement and the applicable SOW Agreement. In all cases, Contractor shall remain solely responsible for achieving on-budget/on-time completion of the applicable SOW Agreement.

I. REQUIRED PROJECT POLICIES, GUIDELINES AND METHODOLOGIES: The Contractor shall be required to comply with all applicable laws, regulations, policies, standards and guidelines affecting information technology projects, which may be created or changed periodically. It is the responsibility of the Contractor to insure adherence and to remain abreast of new or revised laws, regulations, policies, standards and guidelines affecting specific project execution. The most recent version of the following policies can be found on the State of Vermont Department of Information and Innovation website at http://dii.vermont.gov/policy/policy:

• Incident Response Policy • Information Security Policy • Intrusion Detection and Prevention Policy • Malicious Software Protection • Physical Security for Computer Protection • Third Party Connectivity • Mobile Device Policy • System/Service Password Policy • User Password Policy and Guidelines • Digital Media and Hardware Disposal Policy, Standard and Procedure

If required by an SOW Agreement, Contractor’s security controls shall conform to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) including the Standards for the Privacy of Individually Identifiable Health Information at 45 CFR Parts 160 and 164 (“Privacy Rule”), the Security Standards at 45 CFR Parts 160 and 164 (“Security Rule”), as amended by subtitle D of the Health Information Technology for Economic and Clinical Health Act and the Federal Information Security Management

http://dii.vermont.gov/policy/policy

of 58

Act (“FISMA”), 44 U.S.C. 3541 et seq. and Family Education Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), as applicable.

J. REPORTING:

a. SOW AGREEMENT PROJECTS: The Contractor and each Agency shall conduct

progress meetings as set forth in the applicable SOW Agreement. Contractor shall submit a project progress report to the Agency representative named in the SOW Agreement via email and shall contain, at a minimum, the following information:

• E-mail subject line: Contracting Agency name, IT service category name,

reporting period and “Progress Report.” • Work accomplished during the frequency period and all tasks planned for the

upcoming frequency period. • Deliverable progress, as a percentage of completion. • Problem areas, including scope creep, deviation from the work plan; tasks

incomplete, or behind schedule in the previous week (with reasons given for those behind schedule); and the status of any corrective actions undertaken and other unresolved issues and requirements to resolve unresolved issues.

• Planned activities for the next reporting period. • Gantt chart updated from the original to show actual progress; as applicable,

explanations for variances and plan for completion on schedule. • An accounting report for the current reporting period and a cumulative summary

of the totals for both the current and previous reporting periods. The accounting report shall include amounts invoiced-to-date and paid-to-date.

• Significant changes to Contractor’s organization or method of operation or to the Project management team, where applicable.

b. ADDITIONAL QUARTERLY REPORTING TO THE STATE: Contractor shall submit quarterly reports to the State OPC Contracts Agent via email to: [email protected] AND [email protected] Each report must contain the following information: contract number; IT Service Category, each Contracting Agency’s address, contact name, and telephone number; SOW Title(s); and price charged per SOW Agreement, with totals for each SOW Agreement in each reporting period. The State reserves the right to request additional information or to modify the following reporting periods. State shall promptly notify Contractor of any changes to the State Contracts Agent or contact information. Failure to report on a quarterly basis to the State Contracts Agent can result in the State canceling this Master Agreement and any SOW Agreements in place.



of 58

Unless otherwise directed by the State, quarterly reports must be submitted in accordance with the following schedule:

Reporting Period Report Due January 1 -March 31 April 15 April 1 - June 30 July 15 July 1 - September 30 October 15 October 1 - December 31 January 15

K. WORK LOCATION: As a general rule, project work will be done in Vermont. The

Contractor will be required to work on-site in (such site or sites as may be identified by the Agency) where space will be provided, however travel to other State facilities may be needed and the Contractor will be responsible for such travel using its own mode of transportation. Occasional exceptions to this rule may be established by mutual agreement between the Contractor and the Agency representative.

Where applicable, the Agency will provide desks, telephone, LAN connections, and printers. The Agency will not provide desktop PCs and/or laptops to Contractor for use during the project. If specific laptop computers or other mobile peripheral devices are required by Contractor, then the Contractor must provide its own compatible equipment and will be given the appropriate support by the Agency. Contractors will be provided support by the Agency in setting up any accounts or connections required (i.e. Agency email system, network connectivity, network printing etc.). Contractor will have access to State phones for use in business calls related to performance of the services. Agencies will not pay Contractor’s cell phone bills.

of 58

ATTACHMENT B – PAYMENT PROVISIONS

The maximum dollar amount payable under this Master Agreement is not intended as any form of a guaranteed amount. The Contractor will be paid for services actually performed and accepted by the State, up to the maximum allowable amount specified in this Master Agreement.

The State shall pay the Contractor upon satisfactory completion of the services and acceptance thereof by the State for all work identified in the applicable SOW Agreement, as follows:

1. With regard to services performed on a time and materials basis, Contractor shall be paid based on documentation and itemization of work performed and included in invoicing. Invoicing must contain a detail of services including a summary of work performed, location, dates, hours of work performed, work completed, and rates of pay.

2. In consideration of the worked performed by Contractor pursuant to an SOW Agreement, Contractor shall be paid for services performed on a time and materials basis in accordance with the following schedule of rates. For fixed price deliverables, Contractor shall be paid in accordance with the payment schedule included in the applicable SOW Agreement. All rates shall be inclusive of any and all fees and expenses, including mileage.

IT Service Category Title of Positions Hourly Rate Business Analyst/PM Business Analyst 5+ year experience $150 Business Analyst 10+ year experience $165 Project Manager PMI Certified $175 Infrastructure Support Services Systems Architect 10+ year experience $165 DBA/SQLDBA/Relational Database Support

Oracle DBA/SQLDBA 5+ year experience

$130-$140

Oracle OBIEE 5+ year experience $155 Data Warehousing 10+ year experience $155 PeopleSoft Application/System/ Administration Support

Peoplesoft Functional BA HR&FIN 10+ year experience

$155

Peoplesoft Developer 9.1, 9.2 Staff 5+ year experience

$135

Peoplesoft Developer 9.1, 9.2 Sr 10+ year experience

Upgrader 10+ year experience $165 Linux Sys Admin 5+ year experience $145

3. Contractor will be paid for actual hours worked (no overtime). Contractor shall not bill for

travel time.

of 58

4. Invoicing. Payment will only be made upon completion and acceptance of the deliverables as defined in the applicable SOW Agreement. The Contractor shall submit invoices for payment upon acceptance of separately priced deliverables, or on a time and materials basis, as the case may be, following written acceptance from the Contracting Agency that the deliverable is complete. A copy of the notice(s) of acceptance shall accompany all invoices submitted for payment. Invoices shall be sent to the Contracting Agency at the address provided in the SOW Agreement.

5. Payment of invoices shall be Net 30 from the date the State receives an error-free invoice

with full and complete supporting documentation.

6. Retainage. Contractor agrees that any SOW Agreement may provide, in the discretion of the Agency, that the Agency withhold a percentage, determined in the discretion of the Agency, of the total amount payable for each SOW Agreement deliverable, to be payable only after satisfactory completion and the State’s final acceptance of the SOW Project.

of 58

ATTACHMENT C: STANDARD STATE PROVISIONS FOR CONTRACTS AND GRANTS

REVISED JULY 1, 2016

1. Definitions: For purposes of this Attachment, “Party” shall mean the Contractor, Grantee or Subrecipient, with whom the State of Vermont is executing this Agreement and consistent with the form of the Agreement. “Agreement” shall mean the specific contract or grant to which this form is attached.

2. Entire Agreement: This Agreement, whether in the form of a Contract, State Funded Grant, or Federally Funded Grant, represents the entire agreement between the parties on the subject matter. All prior agreements, representations, statements, negotiations, and understandings shall have no effect.

3. Governing Law, Jurisdiction and Venue; No Waiver of Jury Trial: This Agreement will be governed by the laws of the State of Vermont. Any action or proceeding brought by either the State or the Party in connection with this Agreement shall be brought and enforced in the Superior Court of the State of Vermont, Civil Division, Washington Unit. The Party irrevocably submits to the jurisdiction of this court for any action or proceeding regarding this Agreement. The Party agrees that it must first exhaust any applicable administrative remedies with respect to any cause of action that it may have against the State with regard to its performance under the Agreement.

Party agrees that the State shall not be required to submit to binding arbitration or waive its right to a jury trial.

4. Sovereign Immunity: The State reserves all immunities, defenses, rights or actions arising out of the State’s sovereign status or under the Eleventh Amendment to the United States Constitution. No waiver of the State’s immunities, defenses, rights or actions shall be implied or otherwise deemed to exist by reason of the State’s entry into this Agreement.

5. No Employee Benefits For Party: The Party understands that the State will not provide any individual retirement benefits, group life insurance, group health and dental insurance, vacation or sick leave, workers compensation or other benefits or services available to State employees, nor will the state withhold any state or federal taxes except as required under applicable tax laws, which shall be determined in advance of execution of the Agreement. The Party understands that all tax returns required by the Internal Revenue Code and the State of Vermont, including but not limited to income, withholding, sales and use, and rooms and meals, must be filed by the Party, and information as to Agreement income will be provided by the State of Vermont to the Internal Revenue Service and the Vermont Department of Taxes.

6. Independence: The Party will act in an independent capacity and not as officers or employees of the State.

7. Defense and Indemnity: The Party shall defend the State and its officers and employees against all third party claims or suits arising in whole or in part from any act or omission of the Party or of any agent of the Party in connection with the performance of this Agreement. The State shall notify the Party in the event of any such claim or suit, and the Party shall immediately

of 58

retain counsel and otherwise provide a complete defense against the entire claim or suit. The State retains the right to participate at its own expense in the defense of any claim. The State shall have the right to approve all proposed settlements of such claims or suits. In the event the State withholds approval to settle any such claim, then the Party shall proceed with the defense of the claim but under those circumstances, the Party’s indemnification obligations shall be limited to the amount of the proposed settlement initially rejected by the State.

After a final judgment or settlement the Party may request recoupment of specific defense costs and may file suit in Washington Superior Court requesting recoupment. The Party shall be entitled to recoup costs only upon a showing that such costs were entirely unrelated to the defense of any claim arising from an act or omission of the Party in connection with the performance of this Agreement.

The Party shall indemnify the State and its officers and employees in the event that the State, its officers or employees become legally obligated to pay any damages or losses arising from any act or omission of the Party or an agent of the Party in connection with the performance of this Agreement.

The Party agrees that in no event shall the terms of this Agreement nor any document required by the Party in connection with its performance under this Agreement obligate the State to defend or indemnify the Party or otherwise be liable for the expenses or reimbursement, including attorneys’ fees, collection costs or other costs of the Party except to the extent awarded by a court of competent jurisdiction.

8. Insurance: Before commencing work on this Agreement the Party must provide certificates of insurance to show that the following minimum coverages are in effect. It is the responsibility of the Party to maintain current certificates of insurance on file with the State through the term of the Agreement. No warranty is made that the coverages and limits listed herein are adequate to cover and protect the interests of the Party for the Party’s operations. These are solely minimums that have been established to protect the interests of the State.

Workers Compensation: With respect to all operations performed, the Party shall carry workers’ compensation insurance in accordance with the laws of the State of Vermont. Vermont will accept an out-of-state employer's workers’ compensation coverage while operating in Vermont provided that the insurance carrier is licensed to write insurance in Vermont and an amendatory endorsement is added to the policy adding Vermont for coverage purposes. Otherwise, the party shall secure a Vermont workers’ compensation policy, if necessary, to comply with Vermont law.

General Liability and Property Damage: With respect to all operations performed under this Agreement, the Party shall carry general liability insurance having all major divisions of coverage including, but not limited to:

Premises - Operations

Products and Completed Operations

Personal Injury Liability

Contractual Liability

The policy shall be on an occurrence form and limits shall not be less than:

of 58

$1,000,000 Each Occurrence

$2,000,000 General Aggregate

$1,000,000 Products/Completed Operations Aggregate

$1,000,000 Personal & Advertising Injury

Automotive Liability: The Party shall carry automotive liability insurance covering all motor vehicles, including hired and non-owned coverage, used in connection with the Agreement. Limits of coverage shall not be less than $500,000 combined single limit. If performance of this Agreement involves construction, or the transport of persons or hazardous materials, limits of coverage shall not be less than $1,000,000 combined single limit.

Additional Insured. The General Liability and Property Damage coverages required for performance of this Agreement shall include the State of Vermont and its agencies, departments, officers and employees as Additional Insureds. If performance of this Agreement involves construction, or the transport of persons or hazardous materials, then the required Automotive Liability coverage shall include the State of Vermont and its agencies, departments, officers and employees as Additional Insureds. Coverage shall be primary and non-contributory with any other insurance and self-insurance.

Notice of Cancellation or Change. There shall be no cancellation, change, potential exhaustion of aggregate limits or non-renewal of insurance coverage(s) without thirty (30) days written prior written notice to the State.

9. Reliance by the State on Representations: All payments by the State under this Agreement will be made in reliance upon the accuracy of all representations made by the Party in accordance with the Contract, including but not limited to bills, invoices, progress reports and other proofs of work.

10. False Claims Act: The Party acknowledges that it is subject to the Vermont False Claims Act as set forth in 32 V.S.A. § 630 et seq. If the Party violates the Vermont False Claims Act it shall be liable to the State for civil penalties, treble damages and the costs of the investigation and prosecution of such violation, including attorney’s fees, except as the same may be reduced by a court of competent jurisdiction. The Party’s liability to the State under the False Claims Act shall not be limited notwithstanding any agreement of the State to otherwise limit Party’s liability.

11. Whistleblower Protections: The Party shall not discriminate or retaliate against one of its employees or agents for disclosing information concerning a violation of law, fraud, waste, abuse of authority or acts threatening health or safety, including but not limited to allegations concerning the False Claims Act. Further, the Party shall not require such employees or agents to forego monetary awards as a result of such disclosures, nor should they be required to report misconduct to the Party or its agents prior to reporting to any governmental entity and/or the public.

12. Federal Requirements Pertaining to Grants and Subrecipient Agreements: A. Requirement to Have a Single Audit: In the case that this Agreement is a Grant that is

funded in whole or in part by federal funds, the Subrecipient will complete the

of 58

Subrecipient Annual Report annually within 45 days after its fiscal year end, informing the State of Vermont whether or not a Single Audit is required for the prior fiscal year. If a Single Audit is required, the Subrecipient will submit a copy of the audit report to the granting Party within 9 months. If a single audit is not required, only the Subrecipient Annual Report is required.

For fiscal years ending before December 25, 2015, a Single Audit is required if the subrecipient expends $500,000 or more in federal assistance during its fiscal year and must be conducted in accordance with OMB Circular A-133. For fiscal years ending on or after December 25, 2015, a Single Audit is required if the subrecipient expends $750,000 or more in federal assistance during its fiscal year and must be conducted in accordance with 2 CFR Chapter I, Chapter II, Part 200, Subpart F. The Subrecipient Annual Report is required to be submitted within 45 days, whether or not a Single Audit is required.

B. Internal Controls: In the case that this Agreement is a Grant that is funded in whole or in part by Federal funds, in accordance with 2 CFR Part II, §200.303, the Party must establish and maintain effective internal control over the Federal award to provide reasonable assurance that the Party is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

C. Mandatory Disclosures: In the case that this Agreement is a Grant funded in whole or in part by Federal funds, in accordance with 2CFR Part II, §200.113, Party must disclose, in a timely manner, in writing to the State, all violations of Federal criminal law involving fraud, bribery, or gratuity violations potentially affecting the Federal award. Failure to make required disclosures may result in the imposition of sanctions which may include disallowance of costs incurred, withholding of payments, termination of the Agreement, suspension/debarment, etc.

13. Records Available for Audit: The Party shall maintain all records pertaining to performance under this agreement. “Records” means any written or recorded information, regardless of physical form or characteristics, which is produced or acquired by the Party in the performance of this agreement. Records produced or acquired in a machine readable electronic format shall be maintained in that format. The records described shall be made available at reasonable times during the period of the Agreement and for three years thereafter or for any period required by law for inspection by any authorized representatives of the State or Federal Government. If any litigation, claim, or audit is started before the expiration of the three-year period, the records shall be retained until all litigation, claims or audit findings involving the records have been resolved.

14. Fair Employment Practices and Americans with Disabilities Act: Party agrees to comply with the requirement of 21 V.S.A. Chapter 5, Subchapter 6, relating to fair employment practices, to the full extent applicable. Party shall also ensure, to the full extent required by the Americans with Disabilities Act of 1990, as amended, that qualified individuals with disabilities

of 58

receive equitable access to the services, programs, and activities provided by the Party under this Agreement.

15. Set Off: The State may set off any sums which the Party owes the State against any sums due the Party under this Agreement; provided, however, that any set off of amounts due the State of Vermont as taxes shall be in accordance with the procedures more specifically provided hereinafter.

16. Taxes Due to the State: A. Party understands and acknowledges responsibility, if applicable, for compliance with

State tax laws, including income tax withholding for employees performing services within the State, payment of use tax on property used within the State, corporate and/or personal income tax on income earned within the State.

B. Party certifies under the pains and penalties of perjury that, as of the date the Agreement is signed, the Party is in good standing with respect to, or in full compliance with, a plan to pay any and all taxes due the State of Vermont.

C. Party understands that final payment under this Agreement may be withheld if the Commissioner of Taxes determines that the Party is not in good standing with respect to or in full compliance with a plan to pay any and all taxes due to the State of Vermont.

D. Party also understands the State may set off taxes (and related penalties, interest and fees) due to the State of Vermont, but only if the Party has failed to make an appeal within the time allowed by law, or an appeal has been taken and finally determined and the Party has no further legal recourse to contest the amounts due.

17. Taxation of Purchases: All State purchases must be invoiced tax free. An exemption certificate will be furnished upon request with respect to otherwise taxable items.

18. Child Support: (Only applicable if the Party is a natural person, not a corporation or partnership.) Party states that, as of the date the Agreement is signed, he/she:

A. is not under any obligation to pay child support; or

B. is under such an obligation and is in good standing with respect to that obligation; or

C. has agreed to a payment plan with the Vermont Office of Child Support Services and is in full compliance with that plan.

Party makes this statement with regard to support owed to any and all children residing in Vermont. In addition, if the Party is a resident of Vermont, Party makes this statement with regard to support owed to any and all children residing in any other state or territory of the United States.

19. Sub-Agreements: Party shall not assign, subcontract or subgrant the performance of this Agreement or any portion thereof to any other Party without the prior written approval of the State. Party shall be responsible and liable to the State for all acts or omissions of subcontractors and any other person performing work under this Agreement pursuant to an agreement with Party or any subcontractor.

of 58

In the case this Agreement is a contract with a total cost in excess of $250,000, the Party shall provide to the State a list of all proposed subcontractors and subcontractors’ subcontractors, together with the identity of those subcontractors’ workers compensation insurance providers, and additional required or requested information, as applicable, in accordance with Section 32 of The Vermont Recovery and Reinvestment Act of 2009 (Act No. 54).

Party shall include the following provisions of this Attachment C in all subcontracts for work performed solely for the State of Vermont and subcontracts for work performed in the State of Vermont: Section 10 (“False Claims Act”); Section 11 (“Whistleblower Protections”); Section 14 (“Fair Employment Practices and Americans with Disabilities Act”); Section 16 (“Taxes Due the State”); Section 18 (“Child Support”); Section 20 (“No Gifts or Gratuities”); Section 22 (“Certification Regarding Debarment”); Section 23 (“Certification Regarding Use of State Funds”); Section 31 (“State Facilities”); and Section 32 (“Location of State Data”).

20. No Gifts or Gratuities: Party shall not give title or possession of anything of substantial value (including property, currency, travel and/or education programs) to any officer or employee of the State during the term of this Agreement.

21. Copies: Party shall use reasonable best efforts to ensure that all written reports prepared under this Agreement are printed using both sides of the paper.

22. Certification Regarding Debarment: Party certifies under pains and penalties of perjury that, as of the date that this Agreement is signed, neither Party nor Party’s principals (officers, directors, owners, or partners) are presently debarred, suspended, proposed for debarment, declared ineligible or excluded from participation in federal programs, or programs supported in whole or in part by federal funds.

Party further certifies under pains and penalties of perjury that, as of the date that this Agreement is signed, Party is not presently debarred, suspended, nor named on the State’s debarment list at: http://bgs.vermont.gov/purchasing/debarment

23. Certification Regarding Use of State Funds: In the case that Party is an employer and this Agreement is a State Funded Grant in excess of $1,001, Party certifies that none of these State funds will be used to interfere with or restrain the exercise of Party’s employee’s rights with respect to unionization.

24. Conflict of Interest: Party shall fully disclose, in writing, any conflicts of interest or potential conflicts of interest.

25. Confidentiality: Party acknowledges and agrees that this Agreement and any and all information obtained by the State from the Party in connection with this Agreement are subject to the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq.

26. Force Majeure: Neither the State nor the Party shall be liable to the other for any failure or delay of performance of any obligations under this Agreement to the extent such failure or delay shall have been wholly or principally caused by acts or events beyond its reasonable control rendering performance illegal or impossible (excluding strikes or lock-outs) (“Force Majeure”). Where Force Majeure is asserted, the nonperforming party must prove that it made all reasonable

of 58

efforts to remove, eliminate or minimize such cause of delay or damages, diligently pursued performance of its obligations under this Agreement, substantially fulfilled all non-excused obligations, and timely notified the other party of the likelihood or actual occurrence of an event described in this paragraph.

27. Marketing: Party shall not refer to the State in any publicity materials, information pamphlets, press releases, research reports, advertising, sales promotions, trade shows, or marketing materials or similar communications to third parties except with the prior written consent of the State.

28. Termination: In addition to any right of the State to terminate for convenience, the State may terminate this Agreement as follows:

A. Non-Appropriation: If this Agreement extends into more than one fiscal year of the State (July 1 to June 30), and if appropriations are insufficient to support this Agreement, the State may cancel at the end of the fiscal year, or otherwise upon the expiration of existing appropriation authority. In the case that this Agreement is a Grant that is funded in whole or in part by federal funds, and in the event federal funds become unavailable or reduced, the State may suspend or cancel this Grant immediately, and the State shall have no obligation to pay Subrecipient from State revenues.

B. Termination for Cause: Either party may terminate this Agreement if a party materially breaches its obligations under this Agreement, and such breach is not cured within thirty (30) days after delivery of the non-breaching party’s notice or such longer time as the non-breaching party may specify in the notice.

C. No Implied Waiver of Remedies: A party’s delay or failure to exercise any right, power or remedy under this Agreement shall not impair any such right, power or remedy, or be construed as a waiver of any such right, power or remedy. All waivers must be in writing.

29. Continuity of Performance: In the event of a dispute between the Party and the State, each party will continue to perform its obligations under this Agreement during the resolution of the dispute until this Agreement is terminated in accordance with its terms.

30. Termination Assistance: Upon nearing the end of the final term or termination of this Agreement, without respect to cause, the Party shall take all reasonable and prudent measures to facilitate any transition required by the State. All State property, tangible and intangible, shall be returned to the State upon demand at no additional cost to the State in a format acceptable to the State.

31. State Facilities: If the State makes space available to the Party in any State facility during the term of this Agreement for purposes of the Party’s performance under this Agreement, the Party shall only use the space in accordance with all policies and procedures governing access to and use of State facilities which shall be made available upon request. State facilities will be made available to Party on an “AS IS, WHERE IS” basis, with no warranties whatsoever.

32. Location of State Data: No State data received, obtained, or generated by the Party in connection with performance under this Agreement shall be processed, transmitted, stored, or

of 58

transferred by any means outside continental United States, except with the express written permission of the State.

(End of Standard Provisions)

of 58

ATTACHMENT D

TECHNOLOGY TERMS AND CONDITIONS

1. ORDER OF PRECEDENCE; CONTRACTOR DOCUMENTATION

The parties specifically agree that any language or provisions contained in a Contractor Document (as defined below) is of no force and effect if such language or provisions conflict with the terms of Attachment C or Attachment D to this Master Agreement.

2. OWNERSHIP AND LICENSE IN DELIVERABLES

2.1 Contractor Intellectual Property. Contractor shall retain all right, title and interest in and to all Contractor Intellectual Property that Contractor delivers to the State in accordance with Master Agreement and any SOW Agreement entered into hereunder. “Contractor Intellectual Property” means any intellectual property, tangible or intangible, that is owned by Contractor and contained in or necessary for the use of the items that Contractor is required to deliver to the State under this Master Agreement and any SOW Agreement entered into hereunder, including Work Product (“Deliverables”). Should the State require a license for the use of Contractor Intellectual Property in connection with the development or use of the Deliverables, the Contractor shall grant the State a royalty-free license for such development and use. For the avoidance of doubt, Work Product shall not be deemed to include Contractor Intellectual Property, provided the State shall be granted an irrevocable, perpetual, non-exclusive royalty-free license to any such Contractor Intellectual Property that is incorporated into Work Product.

2.2 State Intellectual Property; State Intellectual Property; User Name. The State shall retain all right, title and interest in and to (i) all content and all property, data and information furnished by or on behalf of the State or any agency, commission or board thereof, and to all information that is created under this Master Agreement and any SOW Agreement entered into hereunder, including, but not limited to, all data that is generated under this Master Agreement and any SOW Agreement entered into hereunder as a result of the use by Contractor, the State or any third party of any technology systems or knowledge bases that are developed for the State and used by Contractor hereunder, and all other rights, tangible or intangible; and (ii) all State trademarks, trade names, logos and other State identifiers, Internet uniform resource locators, State user name or names, Internet addresses and e-mail addresses obtained or developed pursuant to this Master Agreement and any SOW Agreement entered into hereunder (collectively, “State Intellectual Property”). Contractor may not use State Intellectual Property for any purpose other than as specified in this Master Agreement and any SOW Agreement entered into hereunder. Upon expiration or termination of this Master Agreement and any SOW Agreement entered into hereunder, Contractor shall return or destroy all State Intellectual Property and all copies thereof, and Contractor shall have no further right or license to such State Intellectual Property.

of 58

Contractor acquires no rights or licenses, including, without limitation, intellectual property rights or licenses, to use State Intellectual Property for its own purposes. In no event shall the Contractor claim any security interest in State Intellectual Property.

2.3 Work Product. All Work Product shall belong exclusively to the State, with the State having the sole and exclusive right to apply for, obtain, register, hold and renew, in its own name and/or for its own benefit, all patents and copyrights, and all applications and registrations, renewals and continuations thereof and/or any and all other appropriate protection. To the extent exclusive title and/or complete and exclusive ownership rights in and to any Work Product may not originally vest in the State by operation of law or otherwise as contemplated hereunder, Contractor shall immediately upon request, unconditionally and irrevocably assign, transfer and convey to the State all right, title and interest therein.

“Work Product” means any tangible or intangible ideas, inventions, improvements, modifications, discoveries, development, customization, configuration, methodologies or processes, designs, models, drawings, photographs, reports, formulas, algorithms, patterns, devices, compilations, databases, computer programs, work of authorship, specifications, operating instructions, procedures manuals or other documentation, technique, know-how, secret, or intellectual property right whatsoever or any interest therein (whether patentable or not patentable or registerable under copyright or similar statutes or subject to analogous protection), that is specifically made, conceived, discovered or reduced to practice by Contractor, either solely or jointly with others, pursuant to this Master Agreement and any SOW Agreement entered into hereunder. Work Product does not include Contractor Intellectual Property or third party intellectual property.

To the extent delivered under this Master Agreement and any SOW Agreement entered into hereunder, upon full payment to Contractor in accordance with Attachment B, and subject to the terms and conditions contained herein, Contractor hereby (i) assigns to State all rights in and to all Deliverables, except to the extent they include any Contractor Intellectual Property; and (ii) grants to State a perpetual, non-exclusive, irrevocable, royalty-free license to use for State’s internal business purposes, any Contractor Intellectual Property included in the Deliverables in connection with its use of the Deliverables and, subject to the State’s obligations with respect to Confidential Information, authorize others to do the same on the State’s behalf. Except for the foregoing license grant, Contractor or its licensors retain all rights in and to all Contractor Intellectual Property.

The Contractor shall not sell or copyright a Deliverable without explicit permission from the State.

If the Contractor is operating a system or application on behalf of the State of Vermont, then the Contractor shall not make information entered into the system or application available for uses by any other party than the State of Vermont, without prior authorization by the State. Nothing herein shall entitle the State to pre-existing Contractor Intellectual Property or Contractor Intellectual Property developed outside of this Master Agreement and any SOW Agreement entered into hereunder with no assistance from State.

of 58

3. CONFIDENTIALITY AND NON-DISCLOSURE; SECURITY BREACH

REPORTING

3.1 Confidentiality of Contractor Information. The Contractor acknowledges and agrees that this Master Agreement and any SOW Agreement entered into hereunder and any and all Contractor information obtained by the State in connection with this Master Agreement and any SOW Agreement entered into hereunder are subject to the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. The State will not disclose information for which a reasonable claim of exemption can be made pursuant to 1 V.S.A. § 317(c), including, but not limited to, trade secrets, proprietary information or financial information, including any formulae, plan, pattern, process, tool, mechanism, compound, procedure, production data, or compilation of information which is not patented, which is known only to the Contractor, and which gives the Contractor an opportunity to obtain business advantage over competitors who do not know it or use it. The State shall immediately notify Contractor of any request made under the Access to Public Records Act, or any request or demand by any court, governmental agency or other person asserting a demand or request for Contractor information. Contractor may, in its discretion, seek an appropriate protective order, or otherwise defend any right it may have to maintain the confidentiality of such information under applicable State law within three business days of the State’s receipt of any such request. Contractor agrees that it will not make any claim against the State if the State makes available to the public any information in accordance with the Access to Public Records Act or in response to a binding order from a court or governmental body or agency compelling its production. Contractor shall indemnify the State for any costs or expenses incurred by the State, including, but not limited to, attorneys’ fees awarded in accordance with 1 V.S.A. § 320, in connection with any action brought in connection with Contractor’s attempts to prevent or unreasonably delay public disclosure of Contractor’s information if a final decision of a court of competent jurisdiction determines that the State improperly withheld such information and that the improper withholding was based on Contractor’s attempts to prevent public disclosure of Contractor’s information.

The State agrees that (a) it will use the Contractor information only as may be necessary in the course of performing duties, receiving services or exercising rights under this Master Agreement and any SOW Agreement entered into hereunder; (b) it will provide at a minimum the same care to avoid disclosure or unauthorized use of Contractor information as it provides to protect its own similar confidential and proprietary information; (c) except as required by the Access to Records Act, it will not disclose such information orally or in writing to any third party unless that third party is subject to a written confidentiality agreement that contains restrictions and safeguards at least as restrictive as those contained in this Master Agreement and any SOW Agreement entered into hereunder; (d) it will take all reasonable precautions to protect the Contractor’s information; and (e) it will not otherwise appropriate such

of 58

information to its own use or to the use of any other person or entity.

Contractor may affix an appropriate legend to Contractor information that is provided under this Master Agreement and any SOW Agreement entered into hereunder to reflect the Contractor’s determination that any such information is a trade secret, proprietary information or financial information at time of delivery or disclosure.

3.2 Confidentiality of State Information. In performance of this Master Agreement and any SOW Agreement entered into hereunder, and any exhibit or schedule hereunder, the Party acknowledges that certain State data , to which the Contractor may have access may contain individual federal tax information, personal protected health information and other individually identifiable information protected by State or federal law or otherwise exempt from disclosure under the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. (“State Data”). [In addition to the provisions of this Section, the Party shall execute the HIPAA Business Associate Agreement attached as Attachment F]. Before receiving or controlling State Data, the Contractor will have an information security policy that protects its systems and processes and media that may contain State Data from internal and external security threats and State Data from unauthorized disclosure, and will have provided a copy of such policy to the State. State Data shall not be stored, accessed from, or transferred to any location outside the United States.

Unless otherwise instructed by the State, Contractor agrees to keep confidential all State Data received and collected by Contractor in connection with this Master Agreement and any SOW Agreement entered into hereunder . The Contractor agrees not to publish, reproduce, or otherwise divulge any State Data in whole or in part, in any manner or form or authorize or permit others to do so. Contractor will take reasonable measures as are necessary to restrict access to State Data in the Contractor’s possession to only those employees on its staff who must have the information on a “need to know” basis. The Contractor shall use State Data only for the purposes of and in accordance with this Master Agreement any SOW Agreement. The Contractor shall provide at a minimum the same care to avoid disclosure or unauthorized use of State Data as it provides to protect its own similar confidential and proprietary information. The Contractor shall not retain any State Data except to the extent required to perform the services under an SOW Agreement.

The Contractor shall promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for State Data to which the Contractor or any third party hosting service of the Contractor may have access, so that the State may seek an appropriate protective order.

3.3 Security of State Information. To the extent Contractor shall have access to, processes, handles, collects, transmits, stores or otherwise deals with State Data, the Contractor represents and warrants that it has implemented and it shall maintain during the term of this Master Agreement the highest industry standard administrative, technical, and physical safeguards and controls consistent with NIST Special Publication 800-53 (version 4 or higher) and Federal Information Processing

of 58

Standards Publication 200 and designed to (i) ensure the security and confidentiality of State Data; (ii) protect against any anticipated security threats or hazards to the security or integrity of the State Data; and (iii) protect against unauthorized access to or use of State Data. Such measures shall include at a minimum: (1) access controls on information systems, including controls to authenticate and permit access to State Data only to authorized individuals and controls to prevent the Contractor employees from providing State Data to unauthorized individuals who may seek to obtain this information (whether through fraudulent means or otherwise); (2) industry-standard firewall protection; (3) encryption of electronic State Data while in transit from the Contractor networks to external networks; (4) measures to store in a secure fashion all State Data which shall include multiple levels of authentication; (5) dual control procedures, segregation of duties, and pre-employment criminal background checks for employees with responsibilities for or access to State Data; (6) measures to ensure that the State Data shall not be altered or corrupted without the prior written consent of the State; (7) measures to protect against destruction, loss or damage of State Data due to potential environmental hazards, such as fire and water damage; (8) staff training to implement the information security measures; and (9) monitoring of the security of any portions of the Contractor systems that are used in the provision of the services against intrusion on a twenty-four (24) hour a day basis.

3.4 Security Breaches; Security Breach Reporting. To the extent the Contractor or its subcontractors, affiliates or agents has access to, processes, handles, collects, stores, transmits or otherwise deals with State Data, the Contractor acknowledges that in the performance of its obligations under this Master Agreement and any SOW Agreement entered into hereunder, it will be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). The Contractor shall have policies and procedures in place for the effective management of Security Breaches, as defined below.

In addition to the requirements set forth in any applicable Business Associate Agreement as may be attached to this Master Agreement, in the event of any actual security breach or reasonable belief of an actual security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including, as applicable, PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), the Contractor shall immediately determine the nature and extent of the Security Breach, contain the incident by stopping the unauthorized practice, recover records, shut down the system that was breached, revoke access and/or correct weaknesses in physical security.

of 58

Contractor shall analyze and document the incident and provide the required notices, as set forth below.

In accordance with Section 9 V.S.A. §2435(b)(3), the Contractor shall notify the Office of the Attorney General, or in the case of a Security Breach by a data collector regulated by the Vermont Department of Financial Regulation (“DFR”), DFR, within fourteen (14) business days of the Contractor’s discovery of the Security Breach. The notice shall provide a preliminary description of the breach. The foregoing notice requirement shall be included in the subcontracts of any of Contractor’s subcontractors, affiliates or agents which may be “data collectors” hereunder. Except to the extent delayed upon request of law enforcement in accordance with 9 V.S.A. §2435(b)(4), within thirty days of the Security Breach or when the Contractor provides notice to consumers pursuant to this Master Agreement, whichever is sooner, the Contractor shall report to the State: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State.

The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes and all applicable State and federal laws, rules or regulations) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. Further, the Contractor agrees to fully cooperate with the State, assume responsibility for notice to affected consumers if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State.

In addition to any other indemnification obligations in this Master Agreement and any SOW Agreement entered into hereunder, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.

4 CONTRACTOR’S REPRESENTATIONS AND WARRANTIES

4.1 General Representations and Warranties. The Contractor represents, warrants and covenants that:

(i) The Contractor has all requisite power and authority to execute, deliver and perform its obligations under this Master Agreement and any SOW Agreement entered into hereunder and the execution, delivery and performance of this Master Agreement and any SOW Agreement entered into hereunder by the Contractor has been duly authorized by the Contractor.

of 58

(ii) There is no pending litigation, arbitrated matter or other dispute to which the Contractor is a party which, if decided unfavorably to the Contractor, would reasonably be expected to have a material adverse effect on the Contractor’s ability to fulfill its obligations under this Master Agreement and any SOW Agreement entered into hereunder.

(iii) The Contractor will comply with all laws applicable to its performance of the services and otherwise to the Contractor in connection with its obligations under this Master Agreement and any SOW Agreement entered into hereunder.

(iv) The Contractor (a) owns, or has the right to use under valid and enforceable agreements, all intellectual property rights reasonably necessary for and related to delivery of the services and provision of the services as set forth in this Master Agreement and any SOW Agreement entered into hereunder; (b) shall be responsible for and have full authority to license all proprietary and/or third party software modules, including algorithms and protocols, that Contractor incorporates into its product; and (c) none of the services or other materials or technology provided by the Contractor to the State will infringe upon or misappropriate the intellectual property rights of any third party.

(v) The Contractor has adequate resources to fulfill its obligations under this Master Agreement and any SOW Agreement entered into hereunder.

(vi) Neither Contractor nor Contractor’s subcontractors has past state or federal violations, convictions or suspensions relating to miscoding of employees in NCCI job codes for purposes of differentiating between independent contractors and employees.

4.2 Contractor’s Performance Warranties. Contractor represents and warrants to the State that:

(i) Each and all of the services shall be performed in a timely, diligent, professional and workpersonlike manner, in accordance with the highest professional or technical standards applicable to such services, by qualified persons with the technical skills, training and experience to perform such services in the planned environment. At its own expense and without limiting any other rights or remedies of the State hereunder, the Contractor shall re-perform any services that the State has determined to be unsatisfactory in its reasonable discretion; the State shall have no obligation to pay for services it has determined to be unsatisfactory.

(ii) Any time software is delivered to the State, whether delivered via electronic media or the internet, no portion of such software or the media upon which it is stored or delivered will have any type of software routine or other element which is designed to facilitate unauthorized access to or intrusion upon; or unrequested disabling or erasure of; or unauthorized interference with the operation of any hardware, software, data or peripheral equipment of or utilized by the State. Notwithstanding the foregoing, Contractor assumes no responsibility for the State’s negligence or failure to protect data from viruses, or any unintended modification, destruction or disclosure.

5 PROFESSIONAL LIABILITY AND CYBER LIABILITY INSURANCE COVERAGE

of 58

In addition to the insurance required in Attachment C to this Master Agreement, before commencing work on this Master Agreement and any SOW Agreement entered into hereunder the Contractor must provide certificates of insurance to show that the foregoing minimum coverages are in effect throughout the term of this Master Agreement: (a) Technology Professional Liability insurance for any and all services performed under this Master Agreement and any SOW Agreement entered into hereunder, with minimum third party coverage of $1,000,000 per claim, $2,000,000 aggregate; and (b) and, to the extent Contractor shall have access to, processes, handles, collects, transmits, stores or otherwise deals with State Data, first party Breach Notification Coverage of not less than $1,000,000. With respect to the first party Breach Notification Coverage, Contractor shall name the State of Vermont and its officers and employees as additional insureds for liability arising out of this Agreement.

6 REMEDIES FOR DEFAULT

In the event either party is in default under this Master Agreement and any SOW Agreement entered into hereunder, the non-defaulting party may, at its option, pursue any or all of the remedies available to it under this Master Agreement and any SOW Agreement entered into hereunder, including termination for cause, and at law or in equity.

7 TERMINATION

7.1 Contractor shall reasonably cooperate with other parties in connection with all services to be delivered under this Master Agreement and any SOW Agreement entered into hereunder, including without limitation any successor provider to whom State data is to be transferred in connection with termination. Contractor shall assist the applicable Agency or Agencies in exporting and extracting any and all State data, in a format usable without the use of the Services and as agreed to by State, at no additional cost. Any transition services requested by State involving additional knowledge transfer and support may be subject to a contract amendment for a fixed fee or at rates to be mutually agreed upon by the parties. If the State determines in its sole discretion that a documented transition plan is necessary, then no later than sixty (60) days prior to termination, Contractor and the applicable Agency or Agencies shall mutually prepare a Transition Plan identifying transition services to be provided.

7.2 Return of Property. Upon termination of this Master Agreement or any SOW Agreement for any reason whatsoever, Contractor shall immediately deliver to the applicable Agency or Agencies all State Intellectual Property and State Data (including without limitation any Deliverables for which State has made payment in whole or in part), that are in the possession or under the control of Contractor in whatever stage of development and form of recordation such Agency property is expressed or embodied at that time.

of 58

[Three (3)] months after the termination or expiration of this Master Agreement and any SOW Agreement entered into hereunder, or upon the State’s earlier written request, Contractor shall at its own expense destroy and erase from all systems it directly or indirectly uses or controls all tangible or intangible forms of the State Data and State Intellectual Property, in whole or in part, and all copies thereof except such records as are required by law. To the extent that any applicable law prevents Contractor from destroying or erasing State Data as described in the preceding sentence, Contractor shall retain, in its then current state, all such State Data then within its right of control or possession in accordance with the confidentiality, security and other requirements of this Master Agreement, and perform its obligations under this section as soon as such law no longer prevents it from doing so. Contractor shall, upon request, send a written certification to the State certifying that it has destroyed the State Data and State Confidential Information in compliance with this section.

8 IRS TERMS IF FEDERAL TAX INFORMATION WILL BE PROCESSED OR STORED (Per IRS Publication 1075)

To the extent Contractor’s performance under this Contract involves the processing or storage of Federal tax information, then, pursuant to IRS Publication 1075, the following provisions shall apply in addition to any other security standard or requirements set forth in this Contract:

A. PERFORMANCE In performance of this Contract, the Contractor agrees to comply with and assume responsibility for compliance by its employees with the following requirements:

1. All work will be done under the supervision of the Contractor or the Contractor's employees.

2. Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this Contract. Disclosure to anyone other than an officer or employee of the Contractor will be prohibited.

3. All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material.

4. The Contractor certifies that the data processed during the performance of this Contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Contractor at the time the work is completed. If immediate purging of all data storage components is not possible, the Contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures.

of 58

5. Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the State or his or her designee. When this is not possible, the Contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts, and will provide the State or its designee with a statement containing the date of destruction, description of material destroyed, and the method used.

6. All computer systems processing, storing, or transmitting Federal tax information must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to Federal tax information.

7. No work involving Federal tax information furnished under this Contract will be subcontracted without prior written approval of the IRS.

8. The Contractor will maintain a list of employees authorized access. Such list will be provided to the State and, upon request, to the IRS reviewing office.

9. The State will have the right to void the Contract if the Contractor fails to provide the safeguards described above.

B. CRIMINAL/CIVIL SANCTIONS: 1. Each officer or employee of any person to whom returns or return information is or may be

disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as 5 years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1.

2. Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this Contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the Contract. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or

of 58

disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431.

3. Additionally, it is incumbent upon the Contractor to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to State records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

C. INSPECTION:

The IRS and the State shall have the right to send its officers and employees into the offices and plants of the Contractor for inspection of the facilities and operations provided for the performance of any work under this Contract. On the basis of such inspection, specific measures may be required in cases where the Contractor is found to be noncompliant with Contract safeguards.

of 58

Attachment D1: Form Statement of Work RFP (SOW-RFP)

STATE OF VERMONT - STATEMENT OF WORK (SOW) Request for Proposal (RFP)

IT Service Category: Request for Proposal Month DD, YYYY

ADMINISTRATIVE INFORMATION

AGENCY/DEPT RESPONSIBILITY FOR SOW-RFP AND SOW AGREEMENT Name the person/s and Agency/Dept. This SOW RFP is being issued in accordance with the Master Agreement between the Contractor and the State of Vermont, Department of Buildings and General Services, Office of Purchasing and Contracting. After an evaluation of Contractor’s response to this SOW RFP, the Contracting Agency may elect to enter into a specific SOW Agreement which will outline all SOW Agreement requirements and payment provisions.

SOW PROPOSAL SUBMISSIONS

All SOW Proposals are due no later than: (Date) and Time

Proposals must be submitted by email to: (State Agency Contact e-mail)

The SOW RFP Response is to be submitted to the contact set forth above via e-mail as four attachments. The “subject” line in the e-mail submission shall state the SOW-RFP Project Name. The first file, to be submitted in Word and pdf formats, will be the technical response to this SOW-RFP and titled, “SOW-RFP Project Name Technical”. The second file, to be submitted in Word or Excel and pdf formats, will be the financial response to this SOW-RFP and titled, “SOW-RFP Project Name Financial”.

All SOW RFP Responses become the property of the State and, once the resulting SOW Agreement is finalized, are subject to disclosure under the State’s Public Records Act, 1 V.S.A. §§ 315-320. If a SOW RFP Response includes material that is considered by the Contractor to be a trade secret under 1 V.S.A. § 317(c)(9), the Contractor shall clearly designate the material as such in its submission. In accordance therewith, the State will not disclose information for which a reasonable claim of trade secret can be made pursuant to 1 VSA § 317(c)(9).

In the cover letter to any SOW RFP Response, the Contractor must identify each page or section of the response that it believes is a trade secret and provide a written

of 58

explanation relating to each marked portion to justify the denial of a public record request should the State receive such a request.

STATEMENT OF RIGHTS

The State of Vermont reserves the right to obtain clarification or additional information necessary to properly evaluate a proposal. The Contractor may be asked to give a verbal presentation of its proposal after submission. Failure of Contractor to respond to a request for additional information or clarification could result in rejection of the Contractor’s proposal. To secure a project that is deemed to be in the best interest of the State, the State reserves the right to accept or reject any and all bids, in whole or in part, with or without cause, and to waive technicalities in submissions. The State also reserves the right to make purchases outside of the awarded contracts where it is deemed in the best interest of the State.

METHOD OF AWARD

Awards will be made in the best interest of the Contracting Agency. The Contracting Agency may award one or more SOW Agreements and reserves the right to make additional awards to other compliant bidders at any time during the term of the SOW Agreement if such award is deemed to be in the best interest of the Contracting Agency.

ORAL PRESENTATIONS/INTERVIEWS

The Contracting Agency will conduct a pre-bid conference call on (Replace with Date and Time) to answer any questions potential bidders may have. The call in number will be (Replace with Phone Number). [If no call will be held, delete this section.] Prior to making a final selection, the Contracting Agency will determine whether to conduct oral presentations. The decision will be based on the quality and quantity of responses received. If it is determined that oral presentations are needed they will be conducted at no expense to the State. Oral presentation may be by phone or in person. In-person presentations will take place as directed by the Contracting Agency on a yet to be determined date at no expense to the State. As part of the selection process, the State reserves the right to interview, either in person or via phone, all candidates for on-site staff that are proposed to perform the work defined within this SOW RFP. The State may also request a change to vendor staffing after a vendor has been selected if upon on-site efforts the State deems the relationship to not be acceptable. Replacement staff will be subject to additional interviewing and approval by the State at no additional cost to the State.

of 58

NON-DISCLOSURE AGREEMENT Contractors and each employee or subcontractor with access to State Data, as defined in the Master Agreement will be required to sign a standard State non-disclosure agreement if there is not already one on file.

SCOPE OF WORK

PURPOSE

BACKGROUND High level description of Contracting Agency’s business unit and the business case or situation leading to this Project

EXISTING TECHNOLOGY ENVIRONMENT Detailed description of existing technology architecture and environments

REQUIREMENTS:

For this particular request, knowledge requirements include: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX. For this particular request, Functional requirements include: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX For this particular request, Non-Functional requirements include: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

PROJECT MANAGEMENT

PROJECT MANAGEMENT APPROACH (change or remove as needed) Describe the project management approach required by your agency or business unit. If certain project management methodologies are to be employed and project progress reports and project team meetings are to take place, they need to also be defined as deliverables below.

PROJECT MANAGEMENT SERVICES (Remove this section if this SOW is not related to Project Management/ Business Analyst/Enterprise Architect Services)

All proposed SOW Agreements for Project Management, Business Analyst or Enterprise Architect Services shall be submitted to the State of Vermont Office of the Attorney General for a determination in accordance with 3 V.S.A. § 342 that such engagement is

of 58

not contrary to the spirit and intent of the classification plan and merit system principles and standards provided by Chapter 13 of Title 3 of the Vermont Statutes.

PM Approach The Contractor shall follow project management methodologies that are consistent with the Project Management Institute’s (PMI) Project Management Body of Knowledge (PMBOK) Guide. Contractor staff will produce project deliverables using Microsoft Office products in v2007 or newer (Word, Excel, Project, Visio, etc.), and Adobe PDF, or other formats acceptable to the State.

PROJECT DELIVERABLES Describe required deliverables in detail. Under no circumstance should a SOW be developed or an SOW RFP be released where the deliverables are not quantified or the criteria for acceptance are not defined. Be clear and concise. The deliverables identified here should be directly tied to payment provisions.

Example: DELIVERABLE/ DELIVERY SCHEDULE

ID Deliverables Expected Completion: <If known>

Deliverable A Deliverable B Deliverable C

Example: DELIVERABLES MATRIX

ID Acceptance Criteria Est Completion

Date

Quoted Cost

(1) (2)

(3) (4)

of 58

Total

CHANGE ORDERS We do not anticipate the need to make change orders, however, if it becomes necessary, such work must be authorized by the State in writing before such work can proceed and may require an amendment to the SOW Agreement.

REFERENCES Provide the names, addresses, and phone numbers of at least three companies or State Agencies with whom you have transacted similar business in the last 12 months. You must include contact names who can talk knowledgeable about performance and deliverables.

OFFSHORE OUTSOURCING Please indicate whether or not any services being provided are or will be outsourced as part of bidding on this project.

SOW PROPOSAL FORMAT

Email PDF’s or Microsoft Office documents as set forth above under SOW PROPOSAL SUBMISSIONS

A SOW RFP Proposal shall provide the following:

Proposed Services – Work Plan a) Proposed Services: A description of the Contractor’s proposed services to

accomplish the specified work requirements, including dates of completion. b) Risk Assessment: An assessment of any risks inherent in the work requirements and

and actions to mitigate these risks. c) Proposed Tools: A description of proposed tools that may be used to facilitate the

work. d) Tasks and Deliverables: A description of and the schedule for each task and

deliverable, illustrated by a Gantt chart. Start and completion dates for each task, milestone, and deliverable shall be indicated. Must include deliverables specified in SOW-RFP as well as other deliverables that may be proposed by Contractor.

e) Work Breakdown Structure: A detailed work breakdown structure and staffing schedule, with labor hours by skill category that will be applied to meet each milestone and deliverable, and to accomplish all specified work requirements.

of 58

Proposed Personnel a) Identify all personnel by name and skill set who will be working on the project,

include resumes b) Certification that all proposed personnel meet the minimum required qualifications

and possess the required certifications to complete the work as required. c) Provide the names and titles of all key management personnel who will be involved

with supervising the services rendered under the Agreement.

Subcontractors Identify all proposed subcontractors and their full roles that may be involved completing the Scope of Work. No work shall be subcontracted without knowledge of and approval by the State.

State Assistance Provide an estimate of expectation concerning participation by State personnel.

Confidentiality To the extent portions of a bidder’s proposal may be confidential, proprietary commercial information or trade secrets, the bidder shall highlight these sections, and provide justification why such materials, upon request, should not be disclosed by the State under the State’s Public Record Law (1 V.S.A. § 315 et seq.) . Contractor is advised that, upon request for this information from a third party, the Agency representative will be required to make an independent determination regarding whether the information may be disclosed.

Transmittal Letter The Contractor must submit a signed letter acknowledging the terms and conditions of the Master Agreement and any special requirements that may be included in a specific SOW Agreement.

REQUIRED PRICE PROPOSAL RESPONSE

All pricing must be fixed cost, inclusive of all expenses and fees if this Statement of Work proposal is for a fixed price agreement. (Remove if Time and Materials agreement)

For Time and Materials the pricing proposal must include estimated effort hours, hourly rate for proposed personnel, projected timeline, including timing expectations for the State functional and technical resources and be submitted as a separate document from the rest of the proposal. (Remove if not Time and Materials)

INVOICING AND PAYMENT Price each deliverable individually and understand that the final agreement may only contain certain deliverables. Deliverables should be performance-based and payments should not be made until final acceptance by the State – avoid prepayments and “front-loaded

of 58

payment schedules. The Contractor may invoice the State only after each agreed to deliverable has been accepted as satisfactory by the State.

All work performed by the Contractor must be approved in advance by the State. Once work has been completed, delivered and accepted by the State, invoicing can occur. The State’s payment terms are net 30 days.

EXAMPLE of PRICE PROPOSAL FORM

(not inclusive of all requirements defined above)

PRICE PROPOSAL FOR SOW-RFP PROJECT NAME_________________

Deliverables Expected Completion:

Hourly Rate (applicable for

Time and Materials)

Price (aggregate hourly

cost or Fixed price per

Deliverable) Deliverable I Date Deliverable II Date Deliverable III Date Combined Bid Date

The Price Proposal form must use the same deliverables as outlined in the Request from the State.

PROCEDURE FOR AWARDING A SOW AGREEMENT

EVALUATION CRITERIA (Verify evaluation criteria below is appropriate for your project)

The responses will be evaluated based on the following: • Quality of proposal content • Cost • Prior Experience with this type of work • Timeline for completion of work to be performed

Contractor selection, or the determination to terminate the SOW RFP without award shall be done in the best interest of the State.

COMMENCEMENT OF WORK UNDER A SOW AGREEMENT Commencement of work as a result of the SOW-RFP process shall be initiated only upon issuance of a fully executed SOW Agreement and Purchase Order.

of 58

SOW AGREEMENTS If selected, the Contractor will sign an SOW Agreement with the Contracting Agency to provide the deliverables set forth in its response and at prices agreed by the Contracting Agency. Minimum support levels set forth in this SOW RFP and terms, and conditions from the Master Agreement, including Attachment C thereto, will become part of each SOW Agreement. Each SOW Agreement will be subject to review throughout its term. The Contracting Agency will consider cancellation of each SOW Agreement, as well as the Master Agreement upon discovery that the Contractor is in violation of any portion of the Master Agreement or an SOW Agreement, including an inability by the Contractor to provide the products, support, and/or service offered in its response. Each SOW Agreement shall specify the term of the Agreement.

of 58

Attachment D2: Example of SOW Agreement

FORM STATEMENT OF WORK AGREEMENT SOW-RFP PROJECT TITLE__ XXXXXXXXX Project__ VISION PO #______________________________________________ PRE-QUALIFICATION CONTRACT # __XXXXX________________ (“Master Agreement”) This is a Statement of Work Agreement (“SOW Agreement”) between the State of Vermont, [CONTRACTING AGENCY] (hereafter called “State”) and _____________., with principal place of business at ____________________, (hereafter called “Contractor”). This SOW Agreement is entered into in accordance with the Master Agreement. The parties acknowledge and agree that all of the terms and conditions of the Master Agreement are hereby incorporated by reference into this SOW Agreement. This SOW Agreement shall not in any way amend, conflict with or supersede the Master Agreement and any such provisions of this SOW Agreement which purport to amend, conflict or supersede the Master Agreement shall be void and have no effect. For purposes of this SOW Agreement, the terms and conditions of Attachment C, Attachment A and Attachment B of the Master Agreement, in that order, shall take precedence and supersede in the event of any ambiguity, conflict or inconsistency with the provisions in this SOW Agreement, including any attachments hereto. . [Applicable to AHS SOW Agreements: This SOW Agreement incorporates Attachment(s) F-I attached to the Master Agreement.]

1. Time for Performance The term of this SOW Agreement shall begin on _________ and end on __________ (the “Initial Term”). The Initial Term is for a period of [duration of term], and may be extended as the parties may agree. In the event the term of the Master Agreement is not extended beyond [INSERT TERMINATION OF MASTER], this SOW Agreement shall terminate upon the termination of the Master Agreement.

2. Scope of Work The Contractor shall, in full satisfaction of the specific requirements of this SOW Agreement, provide the services set forth herein [and Attachments 1, 2, 3 to this SOW Agreement]. These services shall be provided in accordance with the Master Agreement and this SOW Agreement. In Scope: XXXXXXXXXX

Deliverables and Services Produced XXXXXXXXXXX

of 58

Phases (Remove or add if not needed) XXXXXXXXX

Approach (modify as needed)

Contractor shall provide a project manager to work as the primary point of contact with the State. As a part of its project management duties, the Contractor Project Manager will attend an agreed upon number of informational and status meetings and, when appropriate, call and lead such meetings. Such meetings may include the Project Management Team, the Contract Administrator, other consultants, elected officials, and other stakeholders as designated by the State. The Contractor Project Manager shall work directly with the State Project Manager to define, manage, and control the project scope, timeline, issue escalation and resolution processes. Contractor shall deliver written status reports on a weekly basis.

Status information shall include, at a minimum: all planned tasks accomplished, planned tasks that are incomplete, or behind schedule in the previous week (with reasons given for those behind schedule); all tasks planned for the upcoming two weeks; an updated status of tasks (entered into the project plan and attached to the status report – e.g., percent completed, resources assigned to tasks, etc.); and the status of any corrective actions undertaken. The report will also contain items such as the current status of the project’s technical progress and contractual obligations; achievements to date; risk management activities; unresolved issues; requirements to resolve unresolved issues; action items; problems; installation and maintenance results; and significant changes to Contractor’s organization or method of operation, to the project management team, or to the deliverable schedule, where applicable.

. In addition, Contractor will create and routinely update the project plan, if any, to reflect changes in the nature and timing of project activities, all changes being subject to the State Project Manager’s approval. Project deliverables and activities will be subject to the State’s quality management process to be defined by the State prior to the project kick-off.

Project Management/Business Analysis/Enterprise Architect (Require AG signoff)

[INDICATE STATE RESOURCES AND CENTRAL POINT OF CONTACT] [INDICATE KEY CONTRACTOR STAFF AND CONTRACTOR PROJECT MANAGER] [INDICATE PROJECT MANAGEMENT METHODOLOGY, IF APPLICABLE] PROJECT MANAGEMENT/BUSINESS ANALYST/ENTERPRISE ARCHITECT SERVICES • This SOW Agreement for Project Management/Business Analyst/Enterprise Architect

Services shall be submitted to the State of Vermont Office of the Attorney General for a determination in accordance with 3 V.S.A. § 342 that such engagement is not contrary to the spirit and intent of the classification plan and merit system principles and standards provided by Chapter 13 of Title 3 of the Vermont Statutes. Further, there shall be no

of 58

limitation of liability, including a waiver of consequential, indirect, special, punitive or exemplary damages, or disclaimers of warranty without approval from the Office of the Attorney General.

XXXXXXXXXXX

SOV Responsibilities (modify as needed) XXXXXXX

ORGANIZATION (modify as needed) XXXXXXXX CHANGE ORDERS Any change to an SOW Agreement that alters one or more aspects of the Project may require a formal change order. Modifications to Project scope, schedule, deliverables, or cost may require an amendment of the applicable SOW Agreement. While such changes may typically incur additional costs and possible delays relative to the Project schedule, some changes may result in less cost to the State (i.e.; the State decides we no longer need a deliverable in whole or part) or less effort on the part of the Contractor.

Change orders will be developed jointly and every effort will be made to adhere to the project management plan. The Project Manager for the State and the Project Manager for Contractor will decide whether a formal request for a change (“Change Request”), is necessary. If a Change Request is necessary, the Project Manager for requesting party will prepare a Change Request in a form acceptable to the State detailing the effort involved in implementing the change, the total cost or associated savings to the State, of implementing the change, and the effect, if any, of implementing the change on the Project schedule. Once completed, the Change Request will be submitted to the non-requesting party for review. The non-requesting party will make its best efforts to either approve or deny the Change Request in writing within ten (10) business days. No scope of work modifications shall be performed until a change order is executed and approved by the applicable Contracting Agency. In no event shall any delay in the approval or denial of a change request or the execution of a change order constitute a deemed approval by the State.

of 58

PAYMENT PROVISIONS (modify as needed) The maximum amount payable under this agreement is $_______________. In no case shall the total amount payable, including any change orders or amendments that may arise, exceed $100,000. Submit invoices to: State of Vermont, [CONTRACTING AGENCY], [CONTRACTING AGENCY ADDRESS], Montpelier, VT. 05633. Invoice should include Name of Project and Contract PO which is at top of this Form. [The State shall retain 10% of each payment to hold until the satisfactory completion of the Project by the prescribed time and to the satisfaction of the State. Payment of retained fees shall occur [one month after the completion date upon receipt of invoicing from Contractor] [MODIFY AS NEEDED], provided State has accepted all deliverables under this SOW Agreement.]

Payment Terms Payments to the Contractor shall be made as outlined below:

[ADD IF APPLICABLE] For services performed at an hourly rate on a time and materials basis, State shall pay Contractor at the rate of $___ per hour, however, total payment for services shall not exceed $__________________. [ADD IF APPLICABLE:]

ESTIMATED SOFTWARE, HARDWARE AND SUPPORT COSTS COST IN $

Total Estimated Software, Hardware, and Support Costs

The State shall not be responsible for any expenses of the Contractor.

SERVICES Date Amount Deliverable A Deliverable B Deliverable C Deliverable D

of 58

Taxes Due to the State. Contractor certifies under the pains and penalties of perjury that, as of the date this SOW Agreement is signed, the Contractor is in good standing with respect to, or in full compliance with a plan to pay, any and all taxes due the State of Vermont. Certification Regarding Suspension or Debarment. Contractor certifies under the pains and penalties of perjury that, as of the date this SOW Agreement is signed, neither Contractor nor Contractor’s principals (officers, directors, owners, or partners) are presently debarred, suspended, proposed for debarment, declared ineligible or excluded from participation in federal programs, or programs supported in whole or in part by federal funds. Contractor further certifies under pains and penalties of perjury that, as of the date this SOW Agreement is signed, Contractor is not presently debarred, suspended, nor named on the State’s debarment list at: http://bgs.vermont.gov/purchasing/debarment. WE THE UNDERSIGNED PARTIES AGREE TO BE BOUND BY THIS SOW

AGREEMENT.

<Insert SOW contractor Name> _____________________________________ ____________________________ Signature Date STATE OF VERMONT, <Insert Requesting Agency or business unit> _____________________________________ ____________________________ Signature Date State of Vermont, Attorney General Office (only when required) _____________________________________ ____________________________ Signature Date

http://bgs.vermont.gov/purchasing/debarment

of 58

ATTACHMENT E BUSINESS ASSOCIATE AGREEMENT

THIS BUSINESS ASSOCIATE AGREEMENT (“AGREEMENT”) IS ENTERED INTO BY AND BETWEEN THE STATE OF VERMONT AGENCY OF HUMAN SERVICES, OPERATING BY AND THROUGH ITS _______ [INSERT NAME OF AHS DEPARTMENT, OFFICE OR DIVISION] (“COVERED ENTITY”) AND [INSERT NAME OF CONTRACTOR/GRANTEE] (“BUSINESS ASSOCIATE”) AS OF _______ (“EFFECTIVE DATE”). THIS AGREEMENT SUPPLEMENTS AND IS MADE A PART OF THE CONTRACT/GRANT TO WHICH IT IS ATTACHED. Covered Entity and Business Associate enter into this Agreement to comply with standards promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the Standards for the Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164 (“Privacy Rule”), and the Security Standards, at 45 CFR Parts 160 and 164 (“Security Rule”), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH), and any associated federal rules and regulations. The parties agree as follows: 1. Definitions. All capitalized terms used but not otherwise defined in this Agreement have the meanings set forth in 45 CFR Parts 160 and 164 as amended by HITECH and associated federal rules and regulations. “Agent” means those person(s) who are agents(s) of the Business Associate, in accordance with the Federal common law of agency, as referenced in 45 CFR § 160.402(c).

“Breach” means the acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of the PHI, except as excluded in the definition of Breach in 45 CFR § 164.402.

“Business Associate shall have the meaning given in 45 CFR § 160.103.

“Individual” includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). “Protected Health Information” or PHI shall have the meaning given in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Agency.

“Security Incident” means any known successful or unsuccessful attempt by an authorized or unauthorized individual to inappropriately use, disclose, modify, access, or destroy any information or interference with system operations in an information system.

“Services” includes all work performed by the Business Associate for or on behalf of Covered Entity that requires the use and/or disclosure of protected health information to perform a

of 58

business associate function described in 45 CFR § 160.103 under the definition of Business Associate. “Subcontractor” means a person or organization to whom a Business Associate delegates a function, activity or service, other than in the capacity of a member of the workforce of the Business Associate. For purposes of this Agreement, the term Subcontractor includes Subgrantees. 2. Identification and Disclosure of Privacy and Security Offices. Business Associate and Subcontractors shall provide, within ten (10) days of the execution of this agreement, written notice to the Covered Entity’s contract/grant manager the names and contact information of both the HIPAA Privacy Officer and HIPAA Security Officer. This information must be updated any time either of these contacts changes.

3. Permitted and Required Uses/Disclosures of PHI.

3.1 Except as limited in this Agreement, Business Associate may use or disclose PHI to perform Services, as specified in the underlying grant or contract with Covered Entity. The uses and disclosures of Business Associate are limited to the minimum necessary, to complete the tasks or to provide the services associated with the terms of the underlying agreement. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the Privacy Rule if used or disclosed by Covered Entity in that manner. Business Associate may not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.

3.2 Business Associate may make PHI available to its employees who need access to perform Services provided that Business Associate makes such employees aware of the use and disclosure restrictions in this Agreement and binds them to comply with such restrictions. Business Associate may only disclose PHI for the purposes authorized by this Agreement: (a) to its agents and Subcontractors in accordance with Sections 9 and 17 or, (b) as otherwise permitted by Section 3. 3.3 Business Associate shall be directly liable under HIPAA for impermissible uses and disclosures of the PHI it handles on behalf of Covered Entity, and for impermissible uses and disclosures, by Business Associate’s Subcontractor(s), of the PHI that Business Associate handles on behalf of Covered Entity and that it passes on to Subcontractors.

4. Business Activities. Business Associate may use PHI received in its capacity as a Business Associate to Covered Entity if necessary for Business Associate’s proper management and administration or to carry out its legal responsibilities. Business Associate may disclose PHI received in its capacity as Business Associate to Covered Entity for Business Associate’s proper management and administration or to carry out its legal responsibilities if a disclosure is Required by Law or if Business Associate obtains reasonable written assurances via a written agreement from the person to whom the information is to be disclosed that the PHI shall remain confidential and be used or further disclosed only as Required by Law or for the purpose for

of 58

which it was disclosed to the person, and the Agreement requires the person or entity to notify Business Associate, within two (2) business days (who in turn will notify Covered Entity within two (2) business days after receiving notice of a Breach as specified in Section 6.1), in writing of any Breach of Unsecured PHI of which it is aware. Uses and disclosures of PHI for the purposes identified in Section 3 must be of the minimum amount of PHI necessary to accomplish such purposes. 5. Safeguards. Business Associate, its Agent(s) and Subcontractor(s) shall implement and use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement. With respect to any PHI that is maintained in or transmitted by electronic media, Business Associate or its Subcontractor(s) shall comply with 45 CFR sections 164.308 (administrative safeguards), 164.310 (physical safeguards), 164.312 (technical safeguards) and 164.316 (policies and procedures and documentation requirements). Business Associate or its Agent(s) and Subcontractor(s) shall identify in writing upon request from Covered Entity all of the safeguards that it uses to prevent impermissible uses or disclosures of PHI. 6. Documenting and Reporting Breaches.

6.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI, including Breaches reported to it by a Subcontractor, as soon as it (or any of its employees or agents) becomes aware of any such Breach, and in no case later than two (2) business days after it (or any of its employees or agents) becomes aware of the Breach, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. 6.2 Business Associate shall provide Covered Entity with the names of the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected individuals, as set forth in 45 CFR § 164.404(c), and, if requested by Covered Entity, information necessary for Covered Entity to investigate the impermissible use or disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available to it. Business Associate shall require its Subcontractor(s) to agree to these same terms and conditions. 6.3 When Business Associate determines that an impermissible acquisition, use or disclosure of PHI by a member of its workforce is not a Breach, as that term is defined in 45 CFR § 164.402, and therefore does not necessitate notice to the impacted individual(s), it shall document its assessment of risk, conducted as set forth in 45 CFR § 402(2). When requested by Covered Entity, Business Associate shall make its risk assessments available to Covered Entity. It shall also provide Covered Entity with 1) the name of the person(s) making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination of low probability that the PHI had been compromised. When a breach is the responsibility of a member of its Subcontractor’s workforce, Business Associate shall either 1) conduct its own risk assessment and draft a summary of the event and assessment or 2) require its Subcontractor to conduct the assessment and draft a summary of the event. In either

of 58

case, Business Associate shall make these assessments and reports available to Covered Entity. 6.4 Business Associate shall require, by contract, a Subcontractor to report to Business Associate and Covered Entity any Breach of which the Subcontractor becomes aware, no later than two (2) business days after becomes aware of the Breach.

7. Mitigation and Corrective Action. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to it of an impermissible use or disclosure of PHI, even if the impermissible use or disclosure does not constitute a Breach. Business Associate shall draft and carry out a plan of corrective action to address any incident of impermissible use or disclosure of PHI. If requested by Covered Entity, Business Associate shall make its mitigation and corrective action plans available to Covered Entity. Business Associate shall require a Subcontractor to agree to these same terms and conditions. 8. Providing Notice of Breaches.

8.1 If Covered Entity determines that an impermissible acquisition, access, use or disclosure of PHI for which one of Business Associate’s employees or agents was responsible constitutes a Breach as defined in 45 CFR § 164.402, and if requested by Covered Entity, Business Associate shall provide notice to the individual(s) whose PHI has been the subject of the Breach. When requested to provide notice, Business Associate shall consult with Covered Entity about the timeliness, content and method of notice, and shall receive Covered Entity’s approval concerning these elements. The cost of notice and related remedies shall be borne by Business Associate. 8.2 If Covered Entity or Business Associate determines that an impermissible acquisition, access, use or disclosure of PHI by a Subcontractor of Business Associate constitutes a Breach as defined in 45 CFR § 164.402, and if requested by Covered Entity or Business Associate, Subcontractor shall provide notice to the individual(s) whose PHI has been the subject of the Breach. When Covered Entity requests that Business Associate or its Subcontractor provide notice, Business Associate shall either 1) consult with Covered Entity about the specifics of the notice as set forth in section 8.1, above, or 2) require, by contract, its Subcontractor to consult with Covered Entity about the specifics of the notice as set forth in section 8.1

8.3 The notice to affected individuals shall be provided as soon as reasonably possible and in no case later than 60 calendar days after Business Associate reported the Breach to Covered Entity. 8.4 The notice to affected individuals shall be written in plain language and shall include, to the extent possible, 1) a brief description of what happened, 2) a description of the types of Unsecured PHI that were involved in the Breach, 3) any steps individuals can take to protect themselves from potential harm resulting from the Breach, 4) a brief description of what the Business Associate is doing to investigate the Breach, to mitigate harm to individuals and to protect against further Breaches, and 5) contact procedures for

of 58

individuals to ask questions or obtain additional information, as set forth in 45 CFR § 164.404(c).

8.5 Business Associate shall notify individuals of Breaches as specified in 45 CFR § 164.404(d) (methods of individual notice). In addition, when a Breach involves more than 500 residents of Vermont, Business Associate shall, if requested by Covered Entity, notify prominent media outlets serving Vermont, following the requirements set forth in 45 CFR § 164.406.

9. Agreements with Subcontractors. Business Associate shall enter into a Business Associate Agreement with any Subcontractor to whom it provides PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity in which the Subcontractor agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI. Business Associate must enter into this Business Associate Agreement before any use by or disclosure of PHI to such agent. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of PHI. Business Associate shall provide a copy of the Business Associate Agreement it enters into with a subcontractor to Covered Entity upon request. Business associate may not make any disclosure of PHI to any Subcontractor without prior written consent of Covered Entity. 10. Access to PHI. Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or as directed by Covered Entity to an Individual to meet the requirements under 45 CFR § 164.524. Business Associate shall provide such access in the time and manner reasonably designated by Covered Entity. Within three (3) business days, Business Associate shall forward to Covered Entity for handling any request for access to PHI that Business Associate directly receives from an Individual. 11. Amendment of PHI. Business Associate shall make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526, whether at the request of Covered Entity or an Individual. Business Associate shall make such amendments in the time and manner reasonably designated by Covered Entity. Within three (3) business days, Business Associate shall forward to Covered Entity for handling any request for amendment to PHI that Business Associate directly receives from an Individual. 12. Accounting of Disclosures. Business Associate shall document disclosures of PHI and all information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate shall provide such information to Covered Entity or as directed by Covered Entity to an Individual, to permit Covered Entity to respond to an accounting request. Business Associate shall provide such information in the time and manner reasonably designated by Covered Entity. Within three (3) business days, Business Associate shall forward to Covered Entity for handling any accounting request that Business Associate directly receives from an Individual.

of 58

13. Books and Records. Subject to the attorney-client and other applicable legal privileges, Business Associate shall make its internal practices, books, and records (including policies and procedures and PHI) relating to the use and disclosure of PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity available to the Secretary in the time and manner designated by the Secretary. Business Associate shall make the same information available to Covered Entity, upon Covered Entity’s request, in the time and manner reasonably designated by Covered Entity so that Covered Entity may determine whether Business Associate is in compliance with this Agreement. 14. Termination.

14.1 This Agreement commences on the Effective Date and shall remain in effect until terminated by Covered Entity or until all of the PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity subject to Section 18.8. 14.2 If Business Associate breaches any material term of this Agreement, Covered Entity may either: (a) provide an opportunity for Business Associate to cure the breach and Covered Entity may terminate the contract or grant without liability or penalty if Business Associate does not cure the breach within the time specified by Covered Entity; or (b) immediately terminate the contract or grant without liability or penalty if Covered Entity believes that cure is not reasonably possible; or (c) if neither termination nor cure are feasible, Covered Entity shall report the breach to the Secretary. Covered Entity has the right to seek to cure any breach by Business Associate and this right, regardless of whether Covered Entity cures such breach, does not lessen any right or remedy available to Covered Entity at law, in equity, or under the contract or grant, nor does it lessen Business Associate’s responsibility for such breach or its duty to cure such breach.

15. Return/Destruction of PHI.

15.1 Business Associate in connection with the expiration or termination of the contract or grant shall return or destroy, at the discretion of the Covered Entity, all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity pursuant to this Master Agreement and any SOW Agreement entered into hereunder or grant that Business Associate still maintains in any form or medium (including electronic) within thirty (30) days after such expiration or termination. Business Associate shall not retain any copies of the PHI. Business Associate shall certify in writing for Covered Entity (1) when all PHI has been returned or destroyed and (2) that Business Associate does not continue to maintain any PHI. Business Associate is to provide this certification during this thirty (30) day period. 15.2 Business Associate shall provide to Covered Entity notification of any conditions that Business Associate believes make the return or destruction of PHI infeasible. If Covered Entity agrees that return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible

of 58

for so long as Business Associate maintains such PHI. This shall also apply to all Agents and Subcontractors of Business Associate.

16. Penalties and Training. Business Associate understands that: (a) there may be civil or criminal penalties for misuse or misappropriation of PHI and (b) violations of this Agreement may result in notification by Covered Entity to law enforcement officials and regulatory, accreditation, and licensure organizations. If requested by Covered Entity, Business Associate shall participate in training regarding the use, confidentiality, and security of PHI. 17. Security Rule Obligations. The following provisions of this section apply to the extent that Business Associate creates, receives, maintains or transmits Electronic PHI on behalf of Covered Entity.

17.1 Business Associate shall implement and use administrative, physical, and technical safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312 with respect to the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate shall identify in writing upon request from Covered Entity all of the safeguards that it uses to protect such Electronic PHI. 17.2 Business Associate shall ensure that any Agent and Subcontractor to whom it provides Electronic PHI agrees in a written agreement to implement and use administrative, physical, and technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of the Electronic PHI. Business Associate must enter into this written agreement before any use or disclosure of Electronic PHI by such Agent or Subcontractor. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI. Business Associate shall provide a copy of the written agreement to Covered Entity upon request. Business Associate may not make any disclosure of Electronic PHI to any Agent or Subcontractor without the prior written consent of Covered Entity.

17.3 Business Associate shall report in writing to Covered Entity any Security Incident pertaining to such Electronic PHI (whether involving Business Associate or an Agent or Subcontractor). Business Associate shall provide this written report as soon as it becomes aware of any such Security Incident, and in no case later than two (2) business days after it becomes aware of the incident. Business Associate shall provide Covered Entity with the information necessary for Covered Entity to investigate any such Security Incident. 17.4 Business Associate shall comply with any reasonable policies and procedures Covered Entity implements to obtain compliance under the Security Rule.

18. Miscellaneous.

of 58

18.1 In the event of any conflict or inconsistency between the terms of this Agreement and the terms of the contract/grant, the terms of this Agreement shall govern with respect to its subject matter. Otherwise, the terms of the contract/grant continue in effect. 18.2 Business Associate shall cooperate with Covered Entity to amend this Agreement from time to time as is necessary for Covered Entity to comply with the Privacy Rule, the Security Rule, or any other standards promulgated under HIPAA. 18.3 Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule, Security Rule, or any other standards promulgated under HIPAA.

18.4 In addition to applicable Vermont law, the parties shall rely on applicable federal law (e.g., HIPAA, the Privacy Rule and Security Rule, and the HIPAA omnibus final rule) in construing the meaning and effect of this Agreement. 18.5 As between Business Associate and Covered Entity, Covered Entity owns all PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity.

18.6 Business Associate shall abide by the terms and conditions of this Agreement with respect to all PHI it receives from Covered Entity or creates or receives on behalf of Covered Entity even if some of that information relates to specific services for which Business Associate may not be a “Business Associate” of Covered Entity under the Privacy Rule. 18.7 Business Associate is prohibited from directly or indirectly receiving any remuneration in exchange for an individual’s PHI. Business Associate will refrain from marketing activities that would violate HIPAA, including specifically Section 13406 of the HITECH Act. Reports or data containing the PHI may not be sold without Agency’s or the affected individual’s written consent.

18.8 The provisions of this Agreement that by their terms encompass continuing rights or responsibilities shall survive the expiration or termination of this Agreement. For example: (a) the provisions of this Agreement shall continue to apply if Covered Entity determines that it would be infeasible for Business Associate to return or destroy PHI as provided in Section 14.2 and (b) the obligation of Business Associate to provide an accounting of disclosures as set forth in Section 11 survives the expiration or termination of this Agreement with respect to accounting requests, if any, made after such expiration or termination.

(Rev: 5/5/15)

of 58

ATTACHMENT F AGENCY OF HUMAN SERVICES’ CUSTOMARY CONTRACT PROVISIONS

1. Agency of Human Services – Field Services Directors will share oversight with the

department (or field office) that is a party to the contract for provider performance using outcomes, processes, terms and conditions agreed to under this Master Agreement and any SOW Agreement entered into hereunder.

2. 2-1-1 Data Base: The Contractor providing a health or human services within Vermont, or near the border that is readily accessible to residents of Vermont, will provide relevant descriptive information regarding its agency, programs and/or contact and will adhere to the "Inclusion/Exclusion" policy of Vermont's United Way/Vermont 211. If included, the Contractor will provide accurate and up to date information to their data base as needed. The “Inclusion/Exclusion” policy can be found at www.vermont211.org

3. Medicaid Program Contractors:

Inspection of Records: Any contracts accessing payments for services through the Global Commitment to Health Waiver and Vermont Medicaid program must fulfill state and federal legal requirements to enable the Agency of Human Services (AHS), the United States Department of Health and Human Services (DHHS) and the Government Accounting Office (GAO) to:

Evaluate through inspection or other means the quality, appropriateness, and timeliness of services performed; and Inspect and audit any financial records of such Contractor or subcontractor.

Subcontracting for Medicaid Services: Having a subcontract does not terminate the Contractor, receiving funds under Vermont’s Medicaid program, from its responsibility to ensure that all activities under this agreement are carried out. Subcontracts must specify the activities and reporting responsibilities of the Contractor or subcontractor and provide for revoking delegation or imposing other sanctions if the Contractor or subcontractor’s performance is inadequate. The Contractor agrees to make available upon request to the Agency of Human Services; the Department of Vermont Health Access; the Department of Disabilities, Aging and Independent Living; and the Center for Medicare and Medicaid Services (CMS) all contracts and subcontracts between the Contractor and service providers. Medicaid Notification of Termination Requirements: Any Contractor accessing payments for services under the Global Commitment to Health Waiver and Medicaid programs who terminates their practice will follow the Department of Vermont Health Access, Managed Care Organization enrollee notification requirements. Encounter Data: Any Contractor accessing payments for services through the Global Commitment to Health Waiver and Vermont Medicaid programs must provide encounter data to the Agency of Human Services and/or its departments and ensure that it can be linked to enrollee eligibility files maintained by the State. Federal Medicaid System Security Requirements Compliance: All contractors and subcontractors must provide a security plan, risk assessment, and security controls review document within three months of the start date of this agreement (and update it annually

http://www.vermont211.org/

of 58

thereafter) to support audit compliance with 45CFR95.621 subpart F, ADP (Automated Data Processing) System Security Requirements and Review Process.

4. Non-discrimination Based on National Origin as evidenced by Limited English Proficiency. The Contractor agrees to comply with the non-discrimination requirements of Title VI of the Civil Rights Act of 1964, 42 USC Section 2000d, et seq., and with the federal guidelines promulgated pursuant to Executive Order 13166 of 2000, which require that contractors and subcontractors receiving federal funds must assure that persons with limited English proficiency can meaningfully access services. To the extent the Contractor provides assistance to individuals with limited English proficiency through the use of oral or written translation or interpretive services in compliance with this requirement, such individuals cannot be required to pay for such services.

5. Voter Registration. When designated by the Secretary of State, the Contractor agrees to become a voter registration agency as defined by 17 V.S.A. §2103 (41), and to comply with the requirements of state and federal law pertaining to such agencies.

6. Drug Free Workplace Act. The Contractor will assure a drug-free workplace in accordance with 45 CFR Part 76.

7. Privacy and Security Standards. Protected Health Information: The Contractor shall maintain the privacy and security of all individually identifiable health information acquired by or provided to it as a part of the performance of Master Agreement and any SOW Agreement entered into hereunder. The Contractor shall follow federal and state law relating to privacy and security of individually identifiable health information as applicable, including the Health Insurance Portability and Accountability Act (HIPAA) and its federal regulations. Substance Abuse Treatment Information: The confidentiality of any alcohol and drug abuse treatment information acquired by or provided to the Contractor or subcontractor shall be maintained in compliance with any applicable state or federal laws or regulations and specifically set out in 42 CFR Part 2. Other Confidential Consumer Information: The Contractor agrees to comply with the requirements of AHS Rule No. 08-048 concerning access to information. The Contractor agrees to comply with any applicable Vermont State Statute, including but not limited to 12 VSA §1612 and any applicable Board of Health confidentiality regulations. The Contractor shall ensure that all of its employees and subcontractors performing services under this agreement understand the sensitive nature of the information that they may have access to and sign an affirmation of understanding regarding the information’s confidential and non-public nature. Social Security numbers: The Contractor agrees to comply with all applicable Vermont State Statutes to assure protection and security of personal information, including protection from identity theft as outlined in Title 9, Vermont Statutes Annotated, Ch. 62.

8. Abuse Registry. The Contractor agrees not to employ any individual, use any volunteer, or otherwise provide reimbursement to any individual in the performance of services connected with this agreement, who provides care, custody, treatment, transportation, or supervision to children or vulnerable adults if there is a substantiation of abuse or neglect or exploitation against that individual. The Contractor will check the Adult Abuse Registry in the Department

of 58

of Disabilities, Aging and Independent Living. Unless the Contractor holds a valid child care license or registration from the Division of Child Development, Department for Children and Families, the Contractor shall also check the Central Child Protection Registry. (See 33 V.S.A. §4919(a)(3) & 33 V.S.A. §6911(c)(3)).

9. Reporting of Abuse, Neglect, or Exploitation. Consistent with provisions of 33 V.S.A. §4913(a) and §6903, any agent or employee of a Contractor who, in the performance of services connected with this agreement, has contact with clients or is a caregiver and who has reasonable cause to believe that a child or vulnerable adult has been abused or neglected as defined in Chapter 49 or abused, neglected, or exploited as defined in Chapter 69 of Title 33 V.S.A. shall make a report involving children to the Commissioner of the Department for Children and Families within 24 hours or a report involving vulnerable adults to the Division of Licensing and Protection at the Department of Disabilities, Aging, and Independent Living within 48 hours. This requirement applies except in those instances where particular roles and functions are exempt from reporting under state and federal law. Reports involving children shall contain the information required by 33 V.S.A. §4914. Reports involving vulnerable adults shall contain the information required by 33 V.S.A. §6904. The Contractor will ensure that its agents or employees receive training on the reporting of abuse or neglect to children and abuse, neglect or exploitation of vulnerable adults.

10. Intellectual Property/Work Product Ownership. All data, technical information, materials first gathered, originated, developed, prepared, or obtained as a condition of this agreement and used in the performance of this agreement - including, but not limited to all reports, surveys, plans, charts, literature, brochures, mailings, recordings (video or audio), pictures, drawings, analyses, graphic representations, software computer programs and accompanying documentation and printouts, notes and memoranda, written procedures and documents, which are prepared for or obtained specifically for this agreement - or are a result of the services required under this grant - shall be considered "work for hire" and remain the property of the State of Vermont, regardless of the state of completion - unless otherwise specified in this agreement. Such items shall be delivered to the State of Vermont upon 30 days notice by the State. With respect to software computer programs and / or source codes first developed for the State, all the work shall be considered "work for hire,” i.e., the State, not the Contractor or subcontractor, shall have full and complete ownership of all software computer programs, documentation and/or source codes developed.

The Contractor shall not sell or copyright a work product or item produced under this agreement without explicit permission from the State.

If the Contractor is operating a system or application on behalf of the State of Vermont, then the Contractor shall not make information entered into the system or application available for uses by any other party than the State of Vermont, without prior authorization by the State. Nothing herein shall entitle the State to pre-existing Contractor’s materials.

11. Security and Data Transfers. The State shall work with the Contractor to ensure compliance with all applicable State and Agency of Human Services' policies and standards, especially those related to privacy and security. The State will advise the Contractor of any new policies, procedures, or protocols developed during the term of this agreement as they are issued and will work with the Contractor to implement any required.

of 58

The Contractor will ensure the physical and data security associated with computer equipment - including desktops, notebooks, and other portable devices - used in connection with this agreement. The Contractor will also assure that any media or mechanism used to store or transfer data to or from the State includes industry standard security mechanisms such as continually up-to-date malware protection and encryption. The Contractor will make every reasonable effort to ensure media or data files transferred to the State are virus and spyware free. At the conclusion of this agreement and after successful delivery of the data to the State, the Contractor shall securely delete data (including archival backups) from the Contractor's equipment that contains individually identifiable records, in accordance with standards adopted by the Agency of Human Services.

12. Computing and Communication: The Contractor shall select, in consultation with the Agency of Human Services’ Information Technology unit, one of the approved methods for secure access to the State’s systems and data, if required. Approved methods are based on the type of work performed by the Contractor as part of this agreement. Options include, but are not limited to: 1. Contractor’s provision of certified computing equipment, peripherals and mobile devices,

on a separate Contractor’s network with separate internet access. The Agency of Human Services’ accounts may or may not be provided.

2. State supplied and managed equipment and accounts to access state applications and data, including State issued active directory accounts and application specific accounts, which follow the National Institutes of Standards and Technology (NIST) security and the Health Insurance Portability & Accountability Act (HIPAA) standards.

The State will not supply e-mail accounts to the Contractor.

13. Lobbying. No federal funds under this agreement may be used to influence or attempt to influence an officer or employee of any agency, a member of Congress, an officer or employee of Congress, or an employee of a member of Congress in connection with the awarding of any federal contract, continuation, renewal, amendments other than federal appropriated funds.

14. Non–discrimination. The Contractor will prohibit discrimination on the basis of age under the Age Discrimination Act of 1975, on the basis of handicap under section 504 of the Rehabilitation Act of 1973, on the basis of sex under Title IX of the Education Amendments of 1972, or on the basis of race, color or national origin under Title VI of the Civil Rights Act of 1964. No person shall on the grounds of sex (including, in the case of a woman, on the grounds that the woman is pregnant) or on the grounds of religion, be excluded from participation in, be denied the benefits of, or be subjected to discrimination, to include sexual harassment, under any program or activity supported by state and/or federal funds. The Contractor will also not refuse, withhold from or deny to any person the benefit of services, facilities, goods, privileges, advantages, or benefits of public accommodation on the basis of disability, race, creed, color, national origin, marital status, sex, sexual orientation or gender identity under Title 9 V.S.A. Chapter 139.

15. Environmental Tobacco Smoke. Public Law 103-227, also known as the Pro-children Act of 1994 (Act), requires that smoking not be permitted in any portion of any indoor facility owned or leased or contracted for by an entity and used routinely or regularly for the

of 58

provision of health, child care, early childhood development services, education or library services to children under the age of 18, if the services are funded by federal programs either directly or through state or local governments, by federal grant, contract, loan or loan guarantee. The law also applies to children's services that are provided in indoor facilities that are constructed, operated, or maintained with such Federal funds. The law does not apply to children's services provided in private residences; portions of facilities used for inpatient drug or alcohol treatment; service providers whose sole source of applicable federal funds is Medicare or Medicaid; or facilities where Women, Infants, & Children (WIC) coupons are redeemed. Failure to comply with the provisions of the law may result in the imposition of a civil monetary penalty of up to $1,000 for each violation and/or the imposition of an administrative compliance order on the responsible entity. Contractors are prohibited from promoting the use of tobacco products for all clients. Facilities supported by state and federal funds are prohibited from making tobacco products available to minors.

Attachment F - Revised AHS -12/10/10

state of vermont retainer contract for it professional...

Documents